SQ34301
Detected presence of placeholder credentials within network protocol strings.
| priority | CI/CD status | severity | effort | RL level | RL assessment |
|---|---|---|---|---|---|
| None | pass | low | low | None | None |
About the issueโ
Various network communication protocols allow including plaintext authentication credentials. This policy control matches the following URI pattern protocol://username:password@domain within any software package component. Some matched network credentials may refer to placeholder values that get programmatically filled during runtime as the software executes. Placeholder values are considered safe and are purposefully suppressed as informational warnings. The list of allowed placeholder values can be declared through policy configuration and other related settings.
How to resolve the issueโ
- Review the reported matches.
- If the warning does not refer to a placeholder value revoke the exposed credentials and file a security incident.
Incidence statisticsโ
ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes.
For every repository, the chart shows the percentage of projects that triggered the software assurance policy. In other words, it shows how many projects were found to have the specific issue described on this page.
The percentages are calculated from the total amount of packages analyzed:
- RubyGems: 174K
- Nuget: 189K
- PyPi: 403K
- NPM: 2.1M
Recommended readingโ
- URI (External resource - NIST)
- Communication protocol (External resource - Wikipedia)