Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarLint
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarCloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube

Secrets static code analysis

Unique rules to find Vulnerabilities in your source code and language agnostic config files

All rules 7

Vulnerability7

Amazon MWS credentials should not be disclosed

Vulnerability

BlockerSonarSource default severity
click to learn more

Amazon Marketplace Web Service credentials are designed to authenticate and authorize Amazon sellers.

If your application interacts with Amazon MWS then it requires credentials to access all the resources it needs to function properly. The credential authenticates to a seller account which can have access to ressources like products, orders, price or shipment informations.

Therefore only administrators should have access to the MWS credentials used by your application.

As a consequence, MWS credentials should not be stored along with the application code as they would grant special privilege to anyone who has access to the application source code.

Credentials should be stored outside of the code in a file that is never committed to your application code repository.

If possible, a better alternative is to use your cloud provider’s service for managing secrets. On AWS this service is called Secret Manager.

When credentials are disclosed in the application code, consider them as compromised and revoke them immediately.

See

OWASP Top 10 2017 Category A2 - Broken Authentication
MITRE, CWE-798 - Use of Hard-coded Credentials
MITRE, CWE-259 - Use of Hard-coded Password
CERT, MSC03-J. - Never hard code sensitive information
SANS Top 25 - Porous Defenses

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

In-IDE

SaaS

Self-Hosted