SQ34302
Detected presence of plaintext credentials within network protocol strings.
priority | CI/CD status | severity | effort | RL level | RL assessment |
---|---|---|---|---|---|
pass | medium | medium | None | secrets: warning Reason: web service credentials found |
About the issueโ
Various network communication protocols allow including plaintext authentication credentials. Information such as user names and passwords could be passed through a non-encrypted channel, and therefore intercepted by malicious actors. Credentials are considered secrets, and should be kept encrypted until they are used. This policy control matches the following URI pattern protocol://username:password@domain within any software package component. It doesn't eliminate matches for placeholder credential values.
How to resolve the issueโ
- Review the reported matches. If the warning refers to a placeholder credential value, it can be safely ignored.
Incidence statisticsโ
ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes.
For every repository, the chart shows the percentage of projects that triggered the software assurance policy. In other words, it shows how many projects were found to have the specific issue described on this page.
The percentages are calculated from the total amount of packages analyzed:
- RubyGems: 174K
- Nuget: 189K
- PyPi: 403K
- NPM: 2.1M
Recommended readingโ
- URI (External resource - NIST)
- Communication protocol (External resource - Wikipedia)