Hi, Thank you for performing the "Fortify Open Review" for Apache WSS4J (2.1.4). It's valuable to get this kind of feedback on potential issues in a project. FYI your intial email did not make it through to the WSS4J dev list, as you did not use the correct email address for the project ( [email protected] - you need to subscribe first).
In the interests of providing constructive feedback, there are a number of immediate problems with the review: a) It does not exclude test code. Almost all of the "issues" raised are in test classes, and this makes it more difficult to focus on the potential bugs in the actual source code itself. I am not really interested in potential bugs in test classes, as this code is not used in a production environment. The "critical" issue of hard-coding a password is obviously not a problem with it's used in a test-class. b) The code scanning needs some refinement. It appears to interpret any static String constant with "PASSWORD" in it, as an actual password, or with "KEY" as a encryption key. However, in WSS4J these are all URI type fields or else configuration fields, such as: public static final String TAG_ENCRYPTED_KEY_TRANSPORT_METHOD = "encrypted-key-transport-method"; This introduces a large number of false positives. Maybe your scanner could check to see if the value actually looks like a key or password before emitting the warning. Colm. -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
