Skip to content

SKILL.md

Latest commit

 

History

History
187 lines (105 loc) · 3.39 KB

SKILL.md

File metadata and controls

187 lines (105 loc) · 3.39 KB
name cwe-259-hardcoded-password
description Use this skill when you need to remediate CWE-259 (Hardcoded Password) vulnerabilities in Java code. Triggers on SAST findings, security reviews, or when fixing hardcoded password issues.
version 1.0.0
license MIT
tags
security
java
cwe-259
remediation
sast

CWE-259 Hardcoded Password

Description

Hardcoded Password

Reference: https://cwe.mitre.org/data/definitions/259.html

OWASP Category: A07:2021 – Identification and Authentication Failures

Vulnerable Pattern

❌ Example 1: Vulnerable Pattern

// VULNERABLE: Hardcoded password in source code
private static final String DB_PASSWORD = "secretPassword123";

Connection conn = DriverManager.getConnection(
    "jdbc:mysql://localhost/db", "admin", "hardcodedPassword");

Why it's vulnerable: This pattern is vulnerable to Hardcoded Password

Deterministic Fix

✅ Secure Implementation: Secure Implementation

// SECURE: Use environment variables or secret manager
private String getDbPassword() {
    // Option 1: Environment variable
    String password = System.getenv("DB_PASSWORD");
    if (password == null) {
        throw new IllegalStateException("DB_PASSWORD not configured");
    }
    return password;
}

// Option 2: Spring @Value with externalized config
@Value("${database.password}")
private String dbPassword;

// Option 3: Secret manager (e.g., HashiCorp Vault, AWS Secrets Manager)
@Autowired
private VaultTemplate vaultTemplate;

public String getSecret(String path) {
    VaultResponse response = vaultTemplate.read("secret/data/" + path);
    return (String) response.getData().get("password");
}

Why it's secure: Implements proper protection against Hardcoded Password

Detection Pattern

Look for these patterns in your codebase:

# Find hardcoded password patterns
grep -rn "password.*=.*\"" --include="*.java" | grep -v "getParameter"
# Find connection strings with credentials
grep -rn "jdbc:.*:.*@" --include="*.java"

Remediation Steps

  1. Remove all hardcoded credentials from source code

  2. Use environment variables for local development

  3. Integrate with secret management systems (Vault, AWS SM)

  4. Use Spring's @Value with externalized configuration

  5. Rotate credentials after removing from code

Key Imports

import org.springframework.beans.factory.annotation.Value;

import org.springframework.vault.core.VaultTemplate;

Verification

After remediation:

  • Run SAST scanner to confirm vulnerability is resolved

  • Review all instances of the vulnerable pattern

  • Add unit tests that verify the secure implementation

  • Check for similar patterns in related code

Trigger Examples

Fix CWE-259 vulnerability
Resolve Hardcoded Password issue
Secure this Java code against hardcoded password
SAST reports CWE-259

Common Vulnerable Locations

Layer Files Patterns

| Controller | *Controller.java | User input handling |

| Service | *Service.java | Business logic |

| Repository | *Repository.java | Data access |

References

Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07