Explanation
This rule detects whether a service call or rest service has a username and password parameter defined. Having a authorization parameters defined in the model may result in unexpected behavior. It is only recommended to use the username and password for test purposes. It checks service calls of type:
- AQ_RestServiceClient
- AQ_SoapServiceClient
- AQ_MailService
Possible improvements
Configure the connection in the application.properties file only. This adds the possibility to make the authorization parameters dependent on the environment.
See: https://my.blueriq.com/display/DOC/Connections+Properties
Example
For this Mail service call, the authorization parameters - smtp-user and smtp-password have some example values.
This results in the following security hotspot:
Overview
Content Tools