Explanation

This rule detects whether a service call has a username or password parameter defined. These fields are not encrypted and may therefore cause security risks. It is only recommended to use the username and password field for test purposes. It checks service calls of type: 

  • AQ_RestServiceClient
  • AQ_SoapServiceClient
  • AQ_MailService

Possible improvements

Use encrypted values in the connection configuration in the application.properties file.
See:
 My Blueriq - Security Encrypting connection passwords
 My Blueriq - Connections Properties

Example

For this Mail service call, the authorization parameters - smtp-user and smtp-password have some example values.

This results in the following security hotspot: