cklin
diff --git a/‎java/ql/src/Security/CWE/CWE-798/HardcodedAzureCredentials.java
Lines changed: 52 additions & 0 deletions b/‎java/ql/src/Security/CWE/CWE-798/HardcodedAzureCredentials.java
Lines changed: 52 additions & 0 deletions
diff --git a/‎java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsApiCall.qhelp
Lines changed: 30 additions & 0 deletions b/‎java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsApiCall.qhelp
Lines changed: 30 additions & 0 deletions
diff --git a/‎java/ql/src/Security/CWE/CWE-798/SensitiveApi.qll
Lines changed: 7 additions & 3 deletions b/‎java/ql/src/Security/CWE/CWE-798/SensitiveApi.qll
Lines changed: 7 additions & 3 deletions
diff --git a/‎java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedAzureCredentials.java
Lines changed: 66 additions & 0 deletions b/‎java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedAzureCredentials.java
Lines changed: 66 additions & 0 deletions
diff --git a/‎java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsApiCall.expected
Lines changed: 37 additions & 0 deletions b/‎java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsApiCall.expected
Lines changed: 37 additions & 0 deletions
@@ -0,0 +1,52 @@
+public class HardcodedAzureCredentials {
+	private final String clientId = "81734019-15a3-50t8-3253-5abe78abc3a1";
+	private final String username = "[email protected]";
+	private final String clientSecret = "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_";
+	private final String tenantId = "22f367ce-535x-357w-2179-a33517mn166h";
+
+	//BAD: hard-coded username/password credentials
+	public void testHardcodedUsernamePassword(String input) {
+		UsernamePasswordCredential usernamePasswordCredential = new UsernamePasswordCredentialBuilder()
+		.clientId(clientId)
+		.username(username)
+		.password(clientSecret)
+		.build();
+
+		SecretClient client = new SecretClientBuilder()
+		.vaultUrl("https://myKeyVault.vault.azure.net")
+		.credential(usernamePasswordCredential)
+		.buildClient();
+	}
+
+	//GOOD: username/password credentials stored as environment variables
+	public void testEnvironmentUsernamePassword(String input) {
+		UsernamePasswordCredential usernamePasswordCredential = new UsernamePasswordCredentialBuilder()
+		.clientId(clientId)
+		.username(System.getenv("myUsername"))
+		.password(System.getenv("mySuperSecurePass"))
+		.build();
+
+		SecretClient client = new SecretClientBuilder()
+		.vaultUrl("https://myKeyVault.vault.azure.net")
+		.credential(usernamePasswordCredential)
+		.buildClient();
+	}
+
+	//BAD: hard-coded client secret
+	public void testHardcodedClientSecret(String input) {
+		ClientSecretCredential defaultCredential = new ClientSecretCredentialBuilder()
+		.clientId(clientId)
+		.clientSecret(clientSecret)
+		.tenantId(tenantId)
+		.build();
+	}
+
+	//GOOD: client secret stored as environment variables
+	public void testEnvironmentClientSecret(String input) {
+		ClientSecretCredential defaultCredential = new ClientSecretCredentialBuilder()
+		.clientId(clientId)
+		.clientSecret(System.getenv("myClientSecret"))
+		.tenantId(tenantId)
+		.build();
+	}
+}
@@ -32,13 +32,43 @@
     Instead, the user name and password could be supplied through environment variables,
     which can be set externally without hard-coding credentials in the source code.
   </p>
+
+  <p>
+    The following code example connects to AWS using a hard-coded access key ID and secret key:
+  </p>
+
+  <sample src="HardcodedAWSCredentials.java"/>
+
+  <p>
+    Instead, the access key ID and secret key could be supplied through environment variables,
+    which can be set externally without hard-coding credentials in the source code.
+  </p>
+
+  <p>
+    The following code example connects to Azure using a hard-coded user name and password or client secret:
+  </p>
+
+  <sample src="HardcodedAzureCredentials.java"/>
+
+  <p>
+    Instead, the username and password or client secret could be supplied through environment variables,
+    which can be set externally without hard-coding credentials in the source code.
+  </p>
 </example>
 
 <references>
 <li>
 OWASP:
 <a href="https://www.owasp.org/index.php/Use_of_hard-coded_password">Use of hard-coded password</a>.
 </li>
+<li>
+Microsoft:
+<a href="https://docs.microsoft.com/en-us/azure/developer/java/sdk/identity-user-auth#username-password-credential">Azure authentication with user credentials</a>.
+</li>
+<li>
+Amazon:
+<a href="https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html">Working with AWS Credentials</a>.
+</li>
 </references>
 
 </qhelp>
@@ -130,7 +130,8 @@ private predicate javaApiCallablePasswordParam(string s) {
   s = "sun.tools.jconsole.ProxyClient;getProxyClient(String, int, String, String);3" or
   s = "sun.tools.jconsole.ProxyClient;getProxyClient(String, String, String);2" or
   s = "sun.tools.jconsole.ProxyClient;getCacheKey(String, int, String, String);3" or
-  s = "com.amazonaws.auth.BasicAWSCredentials;BasicAWSCredentials(String, String);1"
+  s = "com.amazonaws.auth.BasicAWSCredentials;BasicAWSCredentials(String, String);1" or
+  s = "com.azure.identity.UsernamePasswordCredentialBuilder;password(String);0"
 }
 
 /**
@@ -202,7 +203,8 @@ private predicate javaApiCallableUsernameParam(string s) {
   s = "sun.tools.jconsole.ProxyClient;getConnectionName(String, String);1" or
   s = "sun.tools.jconsole.ProxyClient;getProxyClient(String, int, String, String);2" or
   s = "sun.tools.jconsole.ProxyClient;getConnectionName(String, int, String);2" or
-  s = "com.amazonaws.auth.BasicAWSCredentials;BasicAWSCredentials(String, String);0"
+  s = "com.amazonaws.auth.BasicAWSCredentials;BasicAWSCredentials(String, String);0" or
+  s = "com.azure.identity.UsernamePasswordCredentialBuilder;username(String);0"
 }
 
 /**
@@ -510,5 +512,7 @@ private predicate otherApiCallableCredentialParam(string s) {
   s =
     "org.springframework.security.core.userdetails.User;User(String, String, boolean, boolean, boolean, boolean, Collection<? extends GrantedAuthority>);0" or
   s =
-    "org.springframework.security.core.userdetails.User;User(String, String, boolean, boolean, boolean, boolean, Collection<? extends GrantedAuthority>);1"
+    "org.springframework.security.core.userdetails.User;User(String, String, boolean, boolean, boolean, boolean, Collection<? extends GrantedAuthority>);1" or
+  s = "com.azure.identity.ClientSecretCredentialBuilder;clientSecret(String);0"
+
 }
@@ -0,0 +1,66 @@
+import com.azure.identity.ClientSecretCredential;
+import com.azure.identity.ClientSecretCredentialBuilder;
+import com.azure.identity.UsernamePasswordCredential;
+import com.azure.identity.UsernamePasswordCredentialBuilder;
+import com.azure.security.keyvault.secrets.SecretClient;
+import com.azure.security.keyvault.secrets.SecretClientBuilder;
+
+public class HardcodedAzureCredentials {
+	private final String clientId = "81734019-15a3-50t8-3253-5abe78abc3a1";
+	private final String username = "[email protected]";
+	private final String clientSecret = "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_";
+	private final String tenantId = "22f367ce-535x-357w-2179-a33517mn166h";
+
+	//BAD: hard-coded username/password credentials
+	public void testHardcodedUsernamePassword(String input) {
+		UsernamePasswordCredential usernamePasswordCredential = new UsernamePasswordCredentialBuilder()
+		.clientId(clientId)
+		.username(username)
+		.password(clientSecret)
+		.build();
+
+		SecretClient client = new SecretClientBuilder()
+		.vaultUrl("https://myKeyVault.vault.azure.net")
+		.credential(usernamePasswordCredential)
+		.buildClient();
+	}
+
+	//GOOD: username/password credentials stored as environment variables
+	public void testEnvironmentUsernamePassword(String input) {
+		UsernamePasswordCredential usernamePasswordCredential = new UsernamePasswordCredentialBuilder()
+		.clientId(clientId)
+		.username(System.getenv("myUsername"))
+		.password(System.getenv("mySuperSecurePass"))
+		.build();
+
+		SecretClient client = new SecretClientBuilder()
+		.vaultUrl("https://myKeyVault.vault.azure.net")
+		.credential(usernamePasswordCredential)
+		.buildClient();
+	}
+
+	//BAD: hard-coded client secret
+	public void testHardcodedClientSecret(String input) {
+		ClientSecretCredential defaultCredential = new ClientSecretCredentialBuilder()
+		.clientId(clientId)
+		.clientSecret(clientSecret)
+		.tenantId(tenantId)
+		.build();
+	}
+
+	//GOOD: client secret stored as environment variables
+	public void testEnvironmentClientSecret(String input) {
+		ClientSecretCredential defaultCredential = new ClientSecretCredentialBuilder()
+		.clientId(clientId)
+		.clientSecret(System.getenv("myClientSecret"))
+		.tenantId(tenantId)
+		.build();
+	}
+
+	public static void main(String[] args) {
+		new HardcodedAzureCredentials().testHardcodedUsernamePassword(args[0]);
+		new HardcodedAzureCredentials().testEnvironmentUsernamePassword(args[0]);
+		new HardcodedAzureCredentials().testHardcodedClientSecret(args[0]);
+		new HardcodedAzureCredentials().testEnvironmentClientSecret(args[0]);
+	}
+}
@@ -10,6 +10,22 @@ edges
 | FileCredentialTest.java:13:14:13:20 | "admin" : String | FileCredentialTest.java:19:13:19:13 | u : String |
 | FileCredentialTest.java:19:13:19:13 | u : String | FileCredentialTest.java:22:38:22:45 | v : String |
 | FileCredentialTest.java:22:38:22:45 | v : String | FileCredentialTest.java:23:36:23:36 | v |
+| HardcodedAzureCredentials.java:8:14:8:38 | this <.method> [post update] [clientSecret] : String | HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [clientSecret] : String |
+| HardcodedAzureCredentials.java:8:14:8:38 | this <.method> [post update] [clientSecret] : String | HardcodedAzureCredentials.java:63:3:63:33 | new HardcodedAzureCredentials(...) [clientSecret] : String |
+| HardcodedAzureCredentials.java:8:14:8:38 | this <.method> [post update] [username] : String | HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [username] : String |
+| HardcodedAzureCredentials.java:10:2:10:68 | this <.field> [post update] [username] : String | HardcodedAzureCredentials.java:8:14:8:38 | this <.method> [post update] [username] : String |
+| HardcodedAzureCredentials.java:10:34:10:67 | "[email protected]" : String | HardcodedAzureCredentials.java:10:2:10:68 | this <.field> [post update] [username] : String |
+| HardcodedAzureCredentials.java:11:2:11:74 | this <.field> [post update] [clientSecret] : String | HardcodedAzureCredentials.java:8:14:8:38 | this <.method> [post update] [clientSecret] : String |
+| HardcodedAzureCredentials.java:11:38:11:73 | "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_" : String | HardcodedAzureCredentials.java:11:2:11:74 | this <.field> [post update] [clientSecret] : String |
+| HardcodedAzureCredentials.java:15:14:15:42 | parameter this [clientSecret] : String | HardcodedAzureCredentials.java:19:13:19:24 | this <.field> [clientSecret] : String |
+| HardcodedAzureCredentials.java:15:14:15:42 | parameter this [username] : String | HardcodedAzureCredentials.java:18:13:18:20 | this <.field> [username] : String |
+| HardcodedAzureCredentials.java:18:13:18:20 | this <.field> [username] : String | HardcodedAzureCredentials.java:18:13:18:20 | username |
+| HardcodedAzureCredentials.java:19:13:19:24 | this <.field> [clientSecret] : String | HardcodedAzureCredentials.java:19:13:19:24 | clientSecret |
+| HardcodedAzureCredentials.java:43:14:43:38 | parameter this [clientSecret] : String | HardcodedAzureCredentials.java:46:17:46:28 | this <.field> [clientSecret] : String |
+| HardcodedAzureCredentials.java:46:17:46:28 | this <.field> [clientSecret] : String | HardcodedAzureCredentials.java:46:17:46:28 | clientSecret |
+| HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [clientSecret] : String | HardcodedAzureCredentials.java:15:14:15:42 | parameter this [clientSecret] : String |
+| HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [username] : String | HardcodedAzureCredentials.java:15:14:15:42 | parameter this [username] : String |
+| HardcodedAzureCredentials.java:63:3:63:33 | new HardcodedAzureCredentials(...) [clientSecret] : String | HardcodedAzureCredentials.java:43:14:43:38 | parameter this [clientSecret] : String |
 | Test.java:9:16:9:22 | "admin" : String | Test.java:12:13:12:15 | usr : String |
 | Test.java:9:16:9:22 | "admin" : String | Test.java:15:36:15:38 | usr |
 | Test.java:9:16:9:22 | "admin" : String | Test.java:17:39:17:41 | usr |
@@ -42,6 +58,24 @@ nodes
 | FileCredentialTest.java:23:36:23:36 | v | semmle.label | v |
 | HardcodedAWSCredentials.java:8:50:8:61 | "ACCESS_KEY" | semmle.label | "ACCESS_KEY" |
 | HardcodedAWSCredentials.java:8:64:8:75 | "SECRET_KEY" | semmle.label | "SECRET_KEY" |
+| HardcodedAzureCredentials.java:8:14:8:38 | this <.method> [post update] [clientSecret] : String | semmle.label | this <.method> [post update] [clientSecret] : String |
+| HardcodedAzureCredentials.java:8:14:8:38 | this <.method> [post update] [username] : String | semmle.label | this <.method> [post update] [username] : String |
+| HardcodedAzureCredentials.java:10:2:10:68 | this <.field> [post update] [username] : String | semmle.label | this <.field> [post update] [username] : String |
+| HardcodedAzureCredentials.java:10:34:10:67 | "[email protected]" : String | semmle.label | "[email protected]" : String |
+| HardcodedAzureCredentials.java:11:2:11:74 | this <.field> [post update] [clientSecret] : String | semmle.label | this <.field> [post update] [clientSecret] : String |
+| HardcodedAzureCredentials.java:11:38:11:73 | "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_" : String | semmle.label | "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_" : String |
+| HardcodedAzureCredentials.java:15:14:15:42 | parameter this [clientSecret] : String | semmle.label | parameter this [clientSecret] : String |
+| HardcodedAzureCredentials.java:15:14:15:42 | parameter this [username] : String | semmle.label | parameter this [username] : String |
+| HardcodedAzureCredentials.java:18:13:18:20 | this <.field> [username] : String | semmle.label | this <.field> [username] : String |
+| HardcodedAzureCredentials.java:18:13:18:20 | username | semmle.label | username |
+| HardcodedAzureCredentials.java:19:13:19:24 | clientSecret | semmle.label | clientSecret |
+| HardcodedAzureCredentials.java:19:13:19:24 | this <.field> [clientSecret] : String | semmle.label | this <.field> [clientSecret] : String |
+| HardcodedAzureCredentials.java:43:14:43:38 | parameter this [clientSecret] : String | semmle.label | parameter this [clientSecret] : String |
+| HardcodedAzureCredentials.java:46:17:46:28 | clientSecret | semmle.label | clientSecret |
+| HardcodedAzureCredentials.java:46:17:46:28 | this <.field> [clientSecret] : String | semmle.label | this <.field> [clientSecret] : String |
+| HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [clientSecret] : String | semmle.label | new HardcodedAzureCredentials(...) [clientSecret] : String |
+| HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [username] : String | semmle.label | new HardcodedAzureCredentials(...) [username] : String |
+| HardcodedAzureCredentials.java:63:3:63:33 | new HardcodedAzureCredentials(...) [clientSecret] : String | semmle.label | new HardcodedAzureCredentials(...) [clientSecret] : String |
 | Test.java:9:16:9:22 | "admin" : String | semmle.label | "admin" : String |
 | Test.java:10:17:10:24 | "123456" : String | semmle.label | "123456" : String |
 | Test.java:12:13:12:15 | usr : String | semmle.label | usr : String |
@@ -72,6 +106,9 @@ nodes
 | FileCredentialTest.java:18:35:18:41 | "admin" | FileCredentialTest.java:18:35:18:41 | "admin" | FileCredentialTest.java:18:35:18:41 | "admin" | Hard-coded value flows to $@. | FileCredentialTest.java:18:35:18:41 | "admin" | sensitive API call |
 | HardcodedAWSCredentials.java:8:50:8:61 | "ACCESS_KEY" | HardcodedAWSCredentials.java:8:50:8:61 | "ACCESS_KEY" | HardcodedAWSCredentials.java:8:50:8:61 | "ACCESS_KEY" | Hard-coded value flows to $@. | HardcodedAWSCredentials.java:8:50:8:61 | "ACCESS_KEY" | sensitive API call |
 | HardcodedAWSCredentials.java:8:64:8:75 | "SECRET_KEY" | HardcodedAWSCredentials.java:8:64:8:75 | "SECRET_KEY" | HardcodedAWSCredentials.java:8:64:8:75 | "SECRET_KEY" | Hard-coded value flows to $@. | HardcodedAWSCredentials.java:8:64:8:75 | "SECRET_KEY" | sensitive API call |
+| HardcodedAzureCredentials.java:10:34:10:67 | "[email protected]" | HardcodedAzureCredentials.java:10:34:10:67 | "[email protected]" : String | HardcodedAzureCredentials.java:18:13:18:20 | username | Hard-coded value flows to $@. | HardcodedAzureCredentials.java:18:13:18:20 | username | sensitive API call |
+| HardcodedAzureCredentials.java:11:38:11:73 | "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_" | HardcodedAzureCredentials.java:11:38:11:73 | "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_" : String | HardcodedAzureCredentials.java:19:13:19:24 | clientSecret | Hard-coded value flows to $@. | HardcodedAzureCredentials.java:19:13:19:24 | clientSecret | sensitive API call |
+| HardcodedAzureCredentials.java:11:38:11:73 | "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_" | HardcodedAzureCredentials.java:11:38:11:73 | "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_" : String | HardcodedAzureCredentials.java:46:17:46:28 | clientSecret | Hard-coded value flows to $@. | HardcodedAzureCredentials.java:46:17:46:28 | clientSecret | sensitive API call |
 | Test.java:9:16:9:22 | "admin" | Test.java:9:16:9:22 | "admin" : String | Test.java:15:36:15:38 | usr | Hard-coded value flows to $@. | Test.java:15:36:15:38 | usr | sensitive API call |
 | Test.java:9:16:9:22 | "admin" | Test.java:9:16:9:22 | "admin" : String | Test.java:17:39:17:41 | usr | Hard-coded value flows to $@. | Test.java:17:39:17:41 | usr | sensitive API call |
 | Test.java:9:16:9:22 | "admin" | Test.java:9:16:9:22 | "admin" : String | Test.java:18:39:18:41 | usr | Hard-coded value flows to $@. | Test.java:18:39:18:41 | usr | sensitive API call |