[ https://issues.apache.org/jira/browse/CASSANDRA-12299?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jonathan Ellis updated CASSANDRA-12299: --------------------------------------- Issue Type: Sub-task (was: Bug) Parent: CASSANDRA-12334 > Privacy Violation - Heap Inspection > ----------------------------------- > > Key: CASSANDRA-12299 > URL: https://issues.apache.org/jira/browse/CASSANDRA-12299 > Project: Cassandra > Issue Type: Sub-task > Reporter: Eduardo Aguinaga > > Overview: > In May through June of 2016 a static analysis was performed on version 3.0.5 > of the Cassandra source code. The analysis included an automated analysis > using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools > Understand v4. The results of that analysis includes the issue below. > Issue: > In the file CqlConfigHelper.java on lines 508, 533, 534 and 592 a string > object is used to store sensitive data. String objects are immutable and > should not be used to store sensitive data. Sensitive data should be stored > in char or byte arrays and the contents of those arrays should be cleared > ASAP. Operations performed on string objects will require that the original > object be copied and the operation be applied in the new copy of the string > object. This results in the likelihood that multiple copies of sensitive data > will be present in the heap until garbage collection takes place. > The snippet below shows the issue on line 508: > CqlConfigHelper.java, lines 505-518: > {code:java} > 505 private static Optional<AuthProvider> > getDefaultAuthProvider(Configuration conf) > 506 { > 507 Optional<String> username = getStringSetting(USERNAME, conf); > 508 Optional<String> password = getStringSetting(PASSWORD, conf); > 509 > 510 if (username.isPresent() && password.isPresent()) > 511 { > 512 return Optional.of(new PlainTextAuthProvider(username.get(), > password.get())); > 513 } > 514 else > 515 { > 516 return Optional.absent(); > 517 } > 518 } > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)