How to resolve CWE-259: Use of Hard-coded Password?
The reason you are getting the hard-coded password flaw is because in line three of your snippet you are hard-coding your password in a variable. This is because you are storing sensitive information (username and password) in the source code, which is a flaw because your can source can be decompiled.
One way to fix this flaw is to store the credentials in a strongly encrypted file, or apply strong one-way hashes to the credentials and store those hashes in a configuration file.
You can get more information here: http://cwe.mitre.org/data/definitions/259.html
user1782009
Updated on June 11, 2022Comments
-
user1782009 about 2 years
I submitted my application EAR to Veracode Security scanning tool and got this flaw in the below piece of code :
private String url = "jdbc:mysql://localhost:8081/sql"; private String userName = "xyz"; private String password = "abc"; DriverManager.getConnection(url, user, password); // At this line i am getting this flaw.Someone please help me on how to resolve CWE-259: Use of Hard-coded Password Flaw.