SV.PASSWD.HC.EMPTY

This error occurs when an empty string reaches a method that accepts passwords or a method which performs encryption.

Vulnerability and risk

An empty password is an easy way to attack the system.

Klocwork security vulnerability (SV) checkers identify calls that create potentially dangerous data; these calls are considered unsafe sources. An unsafe source can be any data provided by the user, since the user could be an attacker or has the potential for introducing human error.

Mitigation and prevention

Do not use empty passwords, especially hardcoded ones.

Example 1

13
14
15
16
17
18
     public static void main(String[] args) throws SQLException {
         Properties info = new Properties();
         info.setProperty("user", "root");
         info.setProperty("password", "");
         DriverManager.getConnection("jdbc:mysql://localhost:3307", info);
     }

SV.PASSWD.HC.EMPTY is reported for line 16: empty string is used as a password: leaving an empty password in an application is a major security risk.

External guidance

• CERT MSC03-J: Never hard code sensitive information
• CWE-259: Use of Hard-coded Password
• OWASP A3:2017 Sensitive Data Exposure
• OWASP A7:2021 Identification and Authentication Failures
• STIG-ID:APP3320.1 Password Complexity and Maintenance
• STIG-ID:APP3350 Authentication Credentials Protection

Security training

Application security training materials provided by Secure Code Warrior.

• Insufficiently Protected Credentials Training Video - Test your skills with a training example

Extension

This checker can be extended through the Klocwork knowledge base. See Tuning Java analysis for more information.