6

On scanning code using checkmarx for security vulnerabilities, a privacy violation issue was reported pointing to a variable name.

public const string Authentication  = "authentication";

I am using this variable to create a region in cache by this name("authentication") which stores all the authentication related details.

Is it right to change this variable name into some less meaningful name in order to fix privacy violation issue. How is this a security threat?

user3820128
  • 61
  • 1
  • 1
  • 2
  • I used this setter method in my java code as below : public void setUsername(String username) { this.username = username;} But I am facing privacy violation vulnerability in checkmarx server like this : ends user information outside the application. This may constitute a Privacy Violation – Devendra Singraul Apr 21 '20 at 13:20

2 Answers2

12

Checkmarx is looking for variables with names like 'password', 'credentials', 'Authentication' etc.. and when it sees that you are assigning them a value, it warns you that you might be storing sensitive information in the code (hardcoding it). In the case that you mentioned it looks like a false positive because this is not sensitive information.

Jens Schauder
  • 77,657
  • 34
  • 181
  • 348
Amit
  • 131
  • 1
  • 3
  • 1
    Although storing authentication details in a cache migth itself be a vulnerability, especially when it is a distributed cache, but of course we can't tell. – Jens Schauder Aug 01 '16 at 09:34
1

It's probably a false positive. You should see what the privacy violation rule looks for, and understand how it works...

You can also mark it as false positive and move on... Change status to not exploitable

bkl
  • 134
  • 1
  • 1
  • 9