Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarLint
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarCloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube

VB.NET static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your VB.NET code

Hard-coded credentials are security-sensitive

responsibility - trustworthy

security

Security Hotspot

BlockerSonarSource default severity
click to learn more

Because it is easy to extract strings from an application source code or binary, credentials should not be hard-coded. This is particularly true for applications that are distributed or that are open-source.

In the past, it has led to the following vulnerabilities:

Credentials should be stored outside of the code in a configuration file, a database, or a management service for secrets.

This rule flags instances of hard-coded credentials used in database and LDAP connections. It looks for hard-coded credentials in connection strings, and for variable names that match any of the patterns from the provided list.

Ask Yourself Whether

Credentials allow access to a sensitive component like a database, a file storage, an API or a service.
Credentials are used in production environments.
Application re-distribution is required before updating the credentials.

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

Store the credentials in a configuration file that is not pushed to the code repository.
Store the credentials in a database.
Use your cloud provider’s service for managing secrets.
If a password has been disclosed through the source code: change it.

Sensitive Code Example

Dim username As String = "admin"
Dim password As String = "Password123" ' Sensitive
Dim usernamePassword As String = "user=admin&password=Password123" ' Sensitive
Dim url As String = "scheme://user:Admin123@domain.com" ' Sensitive

Compliant Solution

Dim username As String = "admin"
Dim password As String = GetEncryptedPassword()
Dim usernamePassword As String = String.Format("user={0}&password={1}", GetEncryptedUsername(), GetEncryptedPassword())
Dim url As String = $"scheme://{username}:{password}@domain.com"

Dim url2 As String= "http://guest:guest@domain.com" ' Compliant
Const Password_Property As String = "custom.password" ' Compliant

Exceptions

Issue is not raised when URI username and password are the same.
Issue is not raised when searched pattern is found in variable name and value.

See

OWASP - Top 10 2021 Category A7 - Identification and Authentication Failures
OWASP - Top 10 2017 Category A2 - Broken Authentication
CWE - CWE-798 - Use of Hard-coded Credentials
CWE - CWE-259 - Use of Hard-coded Password
Derived from FindSecBugs rule Hard Coded Password

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

In-IDE

SaaS

Self-Hosted