HARDCODED.AUTH : Hardcoded Authentication

JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

If you access the manual through the hub's Web GUI, the functionality will not be suppressed because the hub is a web server.
Alternatively, your browser may allow you to explicitly disable the security setting that suppresses functionality. See the CodeSonar FAQ for more information.

A function that should have an authentication string passed in a particular argument position has been passed a hardcoded string.

Class Name

Hardcoded Authentication

Significance

security

Mnemonic

HARDCODED.AUTH

Categories

CWE	CWE:259	Use of Hard-coded Password
	CWE:318	Cleartext Storage of Sensitive Information in Executable
	CWE:540	Inclusion of Sensitive Information in Source Code
	CWE:547	Use of Hard-coded, Security-relevant Constants
	CWE:798	Use of Hard-coded Credentials
CERT-C	CERT-C:MSC18-C	Be careful while handling sensitive data, such as passwords, in program code
	CERT-C:MSC41-C	Never hard code sensitive information
DISA-6r1	DISA-6r1:V-222642	The application must not contain embedded authentication data.
DISA-5r3	DISA-5r3:V-70363	The application must not contain embedded authentication data.
DISA-4r3	DISA-4r3:V-70363	The application must not contain embedded authentication data.
DISA-3r10	DISA-3r10:V-6156	The designer will ensure the application does not contain embedded authentication data.
OWASP-2017	OWASP-2017:A5	Broken access control
	OWASP-2017:A6	Security misconfiguration
OWASP-2021	OWASP-2021:A1	Broken access control
	OWASP-2021:A5	Security misconfiguration
	OWASP-2021:A7	Identification and authorization failures

Availability

Available for C and C++.

Enabling

Checks for this warning class are enabled by default. To disable them, add the following WARNING_FILTER rule to the project configuration file.

WARNING_FILTER += discard class="Hardcoded Authentication"

#include <stdlib.h>
#include <stdio.h>
#include <windows.h>
#include <sqltypes.h>
#include <sqlext.h>
#include <sys/socket.h>

void setup_connection_hc(SQLCHAR *server_name, FILE *nmpasswd )
{
   HENV henv; 
   HDBC hdbc; 
   HSTMT hstmt;

   SQLAllocEnv(&henv);
   if( SQLAllocConnect(henv, &hdbc) == SQL_SUCCESS )
       (void)SQLConnectA(hdbc, /* Hardcoded Authentication warning issued here */
                         server_name, SQL_NTS, 
                         "alex",  SQL_NTS, 
                         "hunter2", SQL_NTS);
   // ...
   exit(0);
}

This class is defined using HARDCODED_ARGS_* rules in the general template configuration file, and covers many common procedures that take authentication parameters. For a full list, see the "Factory Settings" in the documentation for HARDCODED_ARGS_*.

To include an additional function or set of functions in the checks for this class, create a new set of HARDCODED_ARGS_* rules, where:

HARDCODED_ARGS_REGEX matches the function or set of functions you want to check.
HARDCODED_ARGS_LIST identifies the parameter position (or positions) that contains an authentication value that should not be hardcoded.
HARDCODED_ARGS_CLASS_NAME = Hardcoded Authentication
HARDCODED_ARGS_CATEGORIES and HARDCODED_ARGS_BASE_RANK have the same settings as in the existing Hardcoded Authentication rules.

To remove a function or set of functions from the checks for this class, edit the configuration file to comment out the corresponding set of HARDCODED_ARGS_* rules.

The following configuration file parameters affect checks for this warning class.

HARDCODED.AUTH : Hardcoded Authentication

Summary

Properties

Example

Notes

Relevant Configuration File Parameters