SV.SENSITIVE.OBJ

This error is reported when sensitive information is stored or transmitted without encryption.

Vulnerability and risk

If your sensitive data such as passwords and social security numbers is unencrypted, an attacker could read or modify it.

Encrypting sensitive data means an attacker would need to decrypt the data before reading or modifying it.

Code examples

Vulnerable code example 1

1
2
3
4
5
6
7
8
9
10
11
    package com.company;
    import java.io.IOException;
    import java.io.OutputStream;
    public class WriteInfo {
        public void write(ObjectOutputStream oos, User user) throws IOException {
            oos.writeObject(user);
        }
        public class User {
            public int ssn = 1234;
       }
   }

In this example, the User object (which contains sensitive data) is being written to a stream. Klocwork detects a defect when the writeObject() method is called.

Fixed code example 1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
    package com.company;
    import java.io.IOException;
    import java.io.OutputStream;
    public class WriteInfo {
        public void write(ObjectOutputStream oos, User user) throws IOException {
            oos.writeObject(user);
        }
        public static class User {
            public int encryptedSSN = encrypt(1234);
           public static int encrypt(int value) {
               int encrypted;
               // ... do encryption
               return encrypted;
           }  
       }
   }

This potential fix involves encrypting the social security number. CWE-311 recommends using naming conventions to help spot when sensitive data is being used. In this case, the variable holding the social security number starts with the word ‘encrypted’ to clearly identify that the sensitive data is encrypted. After applying this fix, Klocwork will no longer detect the previous defect relating to sensitive data.

Vulnerable code example with configurable checker

This checker is configured with a default list of sensitive data such as: dob, ssn, password. This list is meant to be configurable, rather than all-inclusive. Sensitive data can be configured using the @CheckerParam annotation in a .jkb file. Please note that the default built-in list of sensitive terms is no longer used once the user specifies a custom @CheckerParam option.

In this example, the user has domain-specific knowledge of their software and has identified that a patient’s ‘name’, ‘dob’, and ‘address’ are sensitive types of data. A .jkb file containing the following annotation has already been loaded into the project’s configuration:

Vulnerable code example 2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
    package com.company;
    import java.io.IOException;
    import java.io.ObjectOutputStream;
    import java.io.OutputStream;
        
    public class Writer {
        public void writePatientInfo(OutputStream os, Patient patient) throws IOException
    {
            try (ObjectOutputStream oos = new ObjectOutputStream(os)) {
               oos.writeObject(patient);
           }
       }
       public static class Patient {
           public String getName() { return "John Doe"; }
           public String getDob() { return "1900-01-01"; }
           public String getAddress() { return "123 Main St., Cityville, NY 12345"; }
       }
   }

Klocwork will detect a defect when the object (‘patient’) containing sensitive data is written to the ObjectOutputStream.

Fixed code example 2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
    package com.company;
    import javax.crypto.Cipher;
    import javax.crypto.CipherOutputStream;
    import java.io.IOException;
    import java.io.ObjectOutputStream;
    import java.io.OutputStream;
    import java.security.GeneralSecurityException;
    import java.security.Key;

   public class Writer {
       private String transformation = "AES/ECB/PKCS5Padding";
       public void writePatientInfo(OutputStream os, Patient patient, Key key)
                                       throws GeneralSecurityException, IOException {
           Cipher cipher = Cipher.getInstance(transformation);
           cipher.init(Cipher.ENCRYPT_MODE, key);
           try (CipherOutputStream cos = new CipherOutputStream(os, cipher);
                ObjectOutputStream oos = new ObjectOutputStream(cos)) {
               oos.writeObject(patient);
           }
       }
       public static class Patient {
           public String getName() { return "John Doe"; }
           public String getDob() { return "1900-01-01"; }
           public String getAddress() { return "123 Main St., Cityville, NY 12345"; }
       }
   }

A CipherOutputStream is used to encrypt the stream.

Klocwork will still detect a defect when the object (‘patient’) containing sensitive data is written to the ObjectOutputStream, but manual inspection can determine that it is a false positive since the data is being encrypted. This defect can now be ignored.

Related checkers

• SV.SENSITIVE.DATA

External guidance

• CERT MSC03-J: Never hard code sensitive information
• CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
• CWE-311: Missing Encryption of Sensitive Data
• OWASP A3:2017 Sensitive Data Exposure
• OWASP A1:2021 Broken Access Control
• OWASP A4:2021 Insecure Design

Security training

Application security training materials provided by Secure Code Warrior.

• Sensitive Data Exposure Training Video - Test your skills with a training example
• Plaintext Storage Of Sensitive Data Training Video - Test your skills with a training example

Extension

This checker can be tuned to look for sensitive values using @CheckerParam and @Check options in a .jkb file. If you tune this checker to add any custom sensitive values, the defaults are no longer used; if you want to include them as well, you can re-add them to your .jkb file along with the custom values. See Tuning Java analysis for more information.

Default sensitive values

The sensitive values used by default are: dob, ssn, pin, password, password_buffer, pwd, pwd_buffer, pwdbuf, passwd.