-1

While checking my veracode issue, i found this CWE 259 Use of Hard-coded Password in one of my class file. while checking that file, the 1st line of the file is responsible to this vulnerability, which is my package name. Can any one tell me why this is occurring or is this some flaw with veracode scan logic.

Inside this class file they are some place where word "password" is printed. as a precaution i tried by commenting those lines and scan it again. but the issue was thrown on the same line.

package com.name.ta.etc.cse;
Vadim Kotov
  • 8,084
  • 8
  • 48
  • 62
Venkat
  • 35
  • 3
  • 7
  • 1
    *"i tried by commenting those lines and scan it again. but the issue was thrown on the same line."* Did you recompile the classes and rebuild the jars before scanning them? – Stephen C Jul 01 '19 at 14:18
  • Yes - I did. Since I'm using eclipse every time the recomplie and rebuild will happen by default – Venkat Jul 01 '19 at 14:30
  • 2
    A class file does not contain any line number reference to a `package` declaration. If a tool reports an issue with line 1, it’s rather a sign of an unknown source code line. – Holger Jul 01 '19 at 14:41

2 Answers2

2

The page for CWE 259 at MITRE specifies exactly what the vulnerability means and provides example of it, as well as suggest ideas in order to correct or mitigate the vulnerability in your application.

Code inspection tools like Veracode or SonarQube can also flag false positives (they detect the vulnerability, but it isn't there). I had a case with Sonar flagging this issue where I had a static final variable (ie: a constant) with the word PASSWORD in its name and Sonar thought it was the actual password, when in reality it was the key to find the password from the properties.

From your description, it might be the case here (extreme conditional, as you don't provide near enough code to judge). If you can refactor your code by changing the word password to any other, without changing the underlying logic, nor breaking incoming or outgoing authentication, then that's most likely the case here.

FrenchFigaro
  • 371
  • 2
  • 18
0

There is no flaw in veracode. Its scanning correctly. if it will find any keyword like "pass" or "paswd" or "password" it will raise it as "Flaw" so you have to mandatory remove/replace these kind for keyword to resolve it. Remove/Replace the keyword scan your application again and check.

There is no real security concern until you are not storing password as plain text.

Mayur Jain
  • 149
  • 5