From Checkmarx report:
Application contains Hardcoded connection details. This can expose database password.
I'm using jasypt-spring-boot for password encryption. But in Checkmarx, it marks it as medium vulnerability.
Dependency used:
<dependency>
<groupId>com.github.ulisesbocchio</groupId>
<artifactId>jasypt-spring-boot</artifactId>
<version>2.0.0</version>
</dependency>
In PropertFile:
projectname.password=ENC(encrypted password)
#Value("${projectname.password}")
private String dBpassword;
and using the above dBpassword to connect to the database.
Checkmarx is going to have a certain amount of false positives. It isn't possible for it to know every single possibility. So in this case, it doesn't realize that the #Value annotation is actually reading it from a config file. In that case you need to follow your organizations process for handling a false positive and marking the finiding as such in Checkmarx.
Related
I am using spring boot with azure's keyvault
<dependency>
<groupId>com.azure.spring</groupId>
<artifactId>azure-spring-boot-starter-keyvault-secrets</artifactId>
</dependency>
but there is a problem, when I want to update secret.
How to force for example via rest api lets say, refresh of this value ?
#Value("${x-value}") private val xValue: String = "0"
thanks!
Can you rephrase you're question to clarify what exactly do you want to refresh? If you want to refresh the value from AKV (AKV secret changes -> value in code changes) you need to use environment to get the property:
#Autowired
Environment environment
...
xValue = environment.getProperty("x-value");
because #Value() is set during construction of the component. It won't change during it's lifetime.
If you want the change the AKV contents: this is not the purpose of azure-spring-boot-starter-keyvault-secrets.
I am getting this error when running my spring boot application. It is a CRUD API that I am trying to connect to my table data in SQL developer. I would really appreciate some help.
Application Properties
spring.datasource.url = jdbc:oracle:DIP:#localhost:1521:orcl
spring.datasource.username = DIP
spring.datasource.password = DIP
spring.datasource.driver-class-name = oracle.jdbc.driver.OracleDriver
server.port = 8080
Code That Generated Exception
private EmployeeDAO dao;
#BeforeEach
void setUp() throws Exception {
DriverManagerDataSource dataSource = new DriverManagerDataSource();
dataSource.setUrl("jdbc:oracle:DIP:#localhost:1521:orcl");
dataSource.setUsername("DIP");
dataSource.setPassword("DIP");
dataSource.setDriverClassName("oracle.jdbc.driver.OracleDriver");
dao = new EmployeeDAO(new JdbcTemplate(dataSource));
}
Oracle Driver System Path Pom.xml
<dependency>
<groupId>com.oracle.database.jdbc</groupId>
<artifactId>ojdbc8</artifactId>
<version>2.3.0</version>
<scope>system</scope>
<systemPath>C:/ojdbc8.jar</systemPath>
</dependency>
The connection URL looks odd to me.
The part of the connection URL after jdbc:oracle: specifies which type of Oracle JDBC driver to use, as there's more than one of them. The only possible values this can take are thin, oci (or oci8?) and kprb (according to the Oracle JDBC driver documentation). In your code, you've set this to DIP, which appears to also be the username you are using.
I've never had any need to use kprb (in fact I didn't even know about it until today), and I haven't used oci in years. thin is the type of driver I use most often and would be the type of driver I would recommend you try to use.
Try replacing DIP in your connection URL with thin, i.e. jdbc:oracle:thin:#localhost:1521:orcl.
Note that this URL appears twice in your code, once in your properties file and once in what appears to be a test class. You will presumably need to change it in both.
I have a spring-boot project where the database configuration should be saved in the first time the user execute the application, after ask for the connection data (server url, username and password). the application.properties file embbed in the WAR file of the application should be something like that:
security.basic.enabled=false
# THYMELEAF (ThymeleafAutoConfiguration)
spring.thymeleaf.prefix=classpath:/templates/
spring.thymeleaf.suffix=.html
spring.thymeleaf.mode=HTML5
spring.thymeleaf.encoding=UTF-8
spring.thymeleaf.content-type=text/html
spring.thymeleaf.cache=false
# Multipart Configuration
spring.servlet.multipart.maxFileSize = 150MB
spring.servlet.multipart.maxRequestSize = 150MB
spring.servlet.multipart.fileSizeThreshold = 5MB
# Setting max size of post requests to 6MB (default: 2MB)
server.tomcat.max-http-post-size=157286400
After the first run, a second application.properties should be created with the database configuration. But right now, when I try run the project with the configuration above, it do not start, showing the following error message:
***************************
APPLICATION FAILED TO START
***************************
Description:
Failed to configure a DataSource: 'url' attribute is not specified and no embedded datasource could be configured.
Reason: Failed to determine a suitable driver class
Action:
Consider the following:
If you want an embedded database (H2, HSQL or Derby), please put it on the classpath.
If you have database settings to be loaded from a particular profile you may need to activate it (no profiles are currently active).
without give the application the change to generate the second configuration file, with the database properties.
How I could force the application to run this first time, even without the database stuff?
update
Ok, then I get rid of this error message by keeping this 2 dependencies on my pom.xml:
<dependency>
<groupId>org.postgresql</groupId>
<artifactId>postgresql</artifactId>
<version>LATEST</version>
</dependency>
<dependency>
<groupId>org.hsqldb</groupId>
<artifactId>hsqldb</artifactId>
<version>2.4.1</version>
</dependency>
and now the applications runs without error, and I am able to open the installation page to create the database on the postgresql server and import the initial data (user data included).
But I notice that this initial data is not being stored on the postgresql server (despite the datababse and all the tables are being created normally). I suspect they are being created on the hyperSql database on memory, what do not help me at all.
My guess is that's happen because I autowire some Dao classes for this entities on my InstallService class, and the code only create the data on the postgresql where I directly make the connection with this specific server.
Considering the method responsible by populate de initial data on my database is something like that:
public void criarUsuario(String user, String pass, String nome, String sobrenome, String email) {
Usuario novo = new Usuario();
novo.setUsername(user);
novo.setPassword(pass);
novo.setFirstName(nome);
novo.setLastName(sobrenome);
novo.setEmail(email);
novo.setEnabled(true);
novo.setLocked(false);
novo.setCredenciais(new ArrayList<Credencial>());
novo.getCredenciais().add( credencialDao.findBy("nome", "admin") );
usuarioDao.insert(novo);
...
}
What I could change here to persist this data on the postgresql database, instead of the hyperSql database?
update 2
Now I managed to run the application even with only the postgresql dependency om my pom.xml. I did that by adding a initial configuration on my first application.properties (locatd on /src/main/resources):
spring.datasource.driverClassName=org.postgresql.Driver
spring.datasource.url=jdbc:postgresql://localhost:5432/appdata
spring.datasource.username=...
spring.datasource.password=..
spring.datasource.continue-on-error=true
spring.jpa.database-platform=org.hibernate.dialect.PostgreSQLDialect
spring.jpa.dialect=org.hibernate.dialect.PostgreSQLDialect
spring.jpa.show-sql=false
spring.jpa.hibernate.ddl-auto=none
spring.jpa.generate-ddl=false
But when I try access the application on the browser, I got an error saying the database not exist (of course not, when I run the application the first time I have a specific flow to create database, tables and populate initial data).
is there any way to supress this "database not exist" error when I run the project?
Our application is based on Spring-boot 2.0. I've enabled basic security by adding the following dependency to pom.xml:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
<version>2.0.4.RELEASE</version>
</dependency>
I also have added properties so that I can define my own userid and password for basic security, instead of the generated ones. I defined them like this in /resources/applicaiton.properties file:
security.user.name=user1
security.user.password=pass1
When I startup my application, I can see that is still generates the password for me in the log. Also, I am unable to login using user1/pass1 combination. I can only successfully login with the user=user and password=generated-password-from-log file.
Why won't spring security allow me to login with user1/pass1? What could be the problem?
Those properties need the spring prefix.
spring.security.user.name=user # Default user name.
spring.security.user.password= # Password for the default user name.
If I want to configure something I often take a look at this List
I hope this helps.
Hashicorp's Vault can be set up to provide database passwords on demand; each password can be used for a certain "lease" period (say 1 hour) before being renewed, and a maximum use period can be set after which the password has to be trashed and a new one obtained.
In Spring Boot, the JDBC connection is configured at application start, and it is assumed that the JDBC password is coded in the application.properties file (or, alternatively, obtained at application bootstrap time via Spring Cloud Config or equivalent) and used forever.
QUESTION: How might I implement a way in Spring Boot to reset the JDBC password by accessing Vault when a connection attempt fails due to an expired password?
Is there a way to set some sort of handler gets invoked when the connection fails due to an old password, and resets it to a new value?
Check out this open source project available on GitHub; I think it might just be what you are looking for. Note: From the looks of it, this is currently a Spring Cloud Incubator project (has the potential of becoming an official Spring endorsed open source library in the future), and there are only three contributors. You would have to see if it is "reliable enough" to suit your needs.
https://github.com/spring-cloud-incubator/spring-cloud-vault-config
--- Here's a quick summary of useful information ---
Add the following dependency to pom.xml:
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-vault-starter-config</artifactId>
<version>x.y.z</version>
</dependency>
Create a standard Spring Boot application - provided example is just a main application class:
#SpringBootApplication
#RestController
public class Application {
#RequestMapping("/")
public String home() {
return "Hello World!";
}
public static void main(String[] args) {
SpringApplication.run(Application.class, args);
}
}
When it runs it will pick up the external configuration from the
default local Vault server on port 8200 if it is running. To modify
the startup behavior you can change the location of the Vault server
using bootstrap.properties (like application.properties but for the
bootstrap phase of an application context), e.g.
bootstrap.yml:
spring.cloud.vault:
host: localhost
port: 8200
scheme: http
connection-timeout: 5000
read-timeout: 15000
host sets the hostname of the Vault host. The host name will be used for SSL certificate validation
port sets the Vault port
scheme setting the scheme to http will use plain HTTP. Supported schemes are http and https.
connection-timeout sets the connection timeout in milliseconds
read-timeout sets the read timeout in milliseconds