Secrets not detected in jdbc connection strings
Problem to solve
Our Secrets Analyzer currently don't detect passwords in JDBC connection strings.
Intended users
- Delaney (Development Team Lead)
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Sidney (Systems Administrator)
- Sam (Security Analyst)
Further details
Strings like java.sql.Connection con = DriverManager.getConnection("jdbc:mysql://127.0.0.1:3306/test","username","secretPassword");
are not detected by our secrets analyzer, even if there a password in clear text in there.
Proposal
Add new rules to detect passwords being passed in clear text in these strings.
Permissions and Security
N/A
Documentation
Double check https://gitlab.com/gitlab-org/security-products/analyzers/secrets#updating-the-underlying-scanners
Availability & Testing
Add test case in secrets.
What does success look like, and how can we measure that?
JDBC Strings with passwords are reported by the Secrets Analyzer.
What is the type of buyer?
Links / references
- As an option, this includes a regex to find JDBC connection credentials.
/cc @tmccaslin