Why is this an issue?
When relying on the password authentication mode for the database connection, a secure password should be chosen.
This rule raises an issue when an empty password is used.
Noncompliant code example
protected override void OnConfiguring(DbContextOptionsBuilder optionsBuilder)
{
optionsBuilder.UseSqlServer("Server=myServerAddress;Database=myDataBase;User Id=myUsername;Password="); // Noncompliant
}
In Web.config
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<connectionStrings>
<add name="myConnection" connectionString="Server=myServerAddress;Database=myDataBase;User Id=myUsername;Password=" /> <!-- Noncompliant -->
</connectionStrings>
</configuration>
Compliant solution
protected override void OnConfiguring(DbContextOptionsBuilder optionsBuilder)
{
optionsBuilder.UseSqlServer("Server=myServerAddress;Database=myDataBase;Integrated Security=True");
}
In Web.config
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<connectionStrings>
<add name="myConnection" connectionString="Server=myServerAddress;Database=myDataBase;Integrated Security=True" />
</connectionStrings>
</configuration>
Resources
