[ https://issues.apache.org/jira/browse/CASSANDRA-12298?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jason Brown reassigned CASSANDRA-12298: --------------------------------------- Assignee: (was: Jason Brown) > Privacy Violation - Heap Inspection > ----------------------------------- > > Key: CASSANDRA-12298 > URL: https://issues.apache.org/jira/browse/CASSANDRA-12298 > Project: Cassandra > Issue Type: Sub-task > Reporter: Eduardo Aguinaga > Priority: Major > > Overview: > In May through June of 2016 a static analysis was performed on version 3.0.5 > of the Cassandra source code. The analysis included > an automated analysis using HP Fortify v4.21 SCA and a manual analysis > utilizing SciTools Understand v4. The results of that > analysis includes the issue below. > Issue: > In the file RoleOptions.java on line 89 a string object is used to store > sensitive data. String objects are immutable and should not be used to store > sensitive data. Sensitive data should be stored in char or byte arrays and > the contents of those arrays should be cleared ASAP. Operations performed on > string objects will require that the original object be copied and the > operation be applied in the new copy of the string object. This results in > the likelihood that multiple copies of sensitive data will be present in the > heap until garbage collection takes place. > The snippet below shows the issue on line 89: > RoleOptions.java, lines 87-90: > {code:java} > 87 public Optional<String> getPassword() > 88 { > 89 return > Optional.fromNullable((String)options.get(IRoleManager.Option.PASSWORD)); > 90 } > {code} -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org