HARDCODED.KEY : Hardcoded Crypto Key

JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

If you access the manual through the hub's Web GUI, the functionality will not be suppressed because the hub is a web server.
Alternatively, your browser may allow you to explicitly disable the security setting that suppresses functionality. See the CodeSonar FAQ for more information.

A function that should have a cryptographic key passed in a particular argument position has been passed a hardcoded value.

Class Name

Hardcoded Crypto Key

Significance

security

Mnemonic

HARDCODED.KEY

Categories

CWE	CWE:318	Cleartext Storage of Sensitive Information in Executable
	CWE:321	Use of Hard-coded Cryptographic Key
	CWE:540	Inclusion of Sensitive Information in Source Code
	CWE:547	Use of Hard-coded, Security-relevant Constants
	CWE:798	Use of Hard-coded Credentials
CERT-C	CERT-C:MSC18-C	Be careful while handling sensitive data, such as passwords, in program code
	CERT-C:MSC41-C	Never hard code sensitive information
OWASP-2017	OWASP-2017:A5	Broken access control
	OWASP-2017:A6	Security misconfiguration
OWASP-2021	OWASP-2021:A1	Broken access control
	OWASP-2021:A5	Security misconfiguration
	OWASP-2021:A7	Identification and authorization failures

Availability

Available for C and C++.

Enabling

Checks for this warning class are enabled by default. To disable them, add the following WARNING_FILTER rule to the project configuration file.

WARNING_FILTER += discard class="Hardcoded Crypto Key"

#include <crypt.h>

void hardcoded_key(const char *p, const char *q){
    crypt("password", q); /* 'Hardcoded Crypto Key' warning issued here
                           * ('Use of crypt' warning also issued)
                           */
    crypt(p, q);                       /* ok: not hardcoded */
                          /* ('Use of crypt' warning issued here) */
}

This class is defined using HARDCODED_ARGS_* rules in the general template configuration file, and covers many common procedures that take cryptographic key parameters. For a full list, see the "Factory Settings" in the documentation for HARDCODED_ARGS_*.

To include an additional function or set of functions in the checks for this class, create a new set of HARDCODED_ARGS_* rules, where:

HARDCODED_ARGS_REGEX matches the function or set of functions you want to check.
HARDCODED_ARGS_LIST identifies the parameter position (or positions) that contains an cryptographic key value that should not be hardcoded.
HARDCODED_ARGS_CLASS_NAME = Hardcoded Crypto Key
HARDCODED_ARGS_CATEGORIES and HARDCODED_ARGS_BASE_RANK have the same settings as in the existing Hardcoded Crypto Key rules.

To remove a function or set of functions from the checks for this class, edit the configuration file to comment out the corresponding set of HARDCODED_ARGS_* rules.

The following configuration file parameters affect checks for this warning class.

HARDCODED.KEY : Hardcoded Crypto Key

Summary

Properties

Example

Notes

Relevant Configuration File Parameters