[ https://issues.apache.org/jira/browse/KARAF-4199?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jean-Baptiste Onofré updated KARAF-4199: ---------------------------------------- Fix Version/s: 4.0.6 4.1.0 > Privacy Violation: Heap Inspection > ---------------------------------- > > Key: KARAF-4199 > URL: https://issues.apache.org/jira/browse/KARAF-4199 > Project: Karaf > Issue Type: Bug > Affects Versions: 4.0.3 > Reporter: Eduardo Aguinaga > Assignee: Jean-Baptiste Onofré > Fix For: 4.1.0, 4.0.6 > > > HP Fortify and SciTools Understand were used to perform an application > security scan on the karaf source code. > The method interactive() in Main.java stores sensitive data in a String > object on line 127, making it impossible to reliably purge the data from > memory. > Main.java, lines 120-137: > {code} > 120 public String[] interactive(String destination, String name, String > instruction, String[] prompt, boolean[] echo) { > 121 String[] answers = new String[prompt.length]; > 122 try { > 123 for (int i = 0; i < prompt.length; i++) { > 124 if (echo[i]) { > 125 answers[i] = console.readLine(prompt[i] + " "); > 126 } else { > 127 answers[i] = new String(console.readPassword(prompt[i] + > " ")); > 128 } > 129 if (answers[i] == null) { > 130 return null; > 131 } > 132 } > 133 return answers; > 134 } catch (IOError e) { > 135 return null; > 136 } > 137 } > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)