[ https://issues.apache.org/jira/browse/CASSANDRA-12540?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15571840#comment-15571840 ]
Stefan Podkowinski edited comment on CASSANDRA-12540 at 10/13/16 12:59 PM: --------------------------------------------------------------------------- This would have prevented CASSANDRA-12773. There's really no reason not to get rid of them. ||trunk|| |[branch|https://github.com/spodkowinski/cassandra/tree/CASSANDRA-12540-trunk]| |[dtest|http://cassci.datastax.com/view/Dev/view/spodkowinski/job/spodkowinski-CASSANDRA-12540-trunk-dtest/]| |[testall|http://cassci.datastax.com/view/Dev/view/spodkowinski/job/spodkowinski-CASSANDRA-12540-trunk-testall/]| was (Author: spo...@gmail.com): This would have prevented CASSANDRA-12773. There's really no reason not to get rid of them. > Password Management: Hardcoded Password > --------------------------------------- > > Key: CASSANDRA-12540 > URL: https://issues.apache.org/jira/browse/CASSANDRA-12540 > Project: Cassandra > Issue Type: Sub-task > Reporter: Eduardo Aguinaga > Attachments: 12540-trunk.patch > > > Overview: > In May through June of 2016 a static analysis was performed on version 3.0.5 > of the Cassandra source code. The analysis included an automated analysis > using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools > Understand v4. The results of that analysis includes the issue below. > Issue: > In the file EncryptionOptions.java there are hard coded passwords on lines 23 > and 25. > {code:java} > EncryptionOptions.java, lines 20-30: > 20 public abstract class EncryptionOptions > 21 { > 22 public String keystore = "conf/.keystore"; > 23 public String keystore_password = "cassandra"; > 24 public String truststore = "conf/.truststore"; > 25 public String truststore_password = "cassandra"; > 26 public String[] cipher_suites = { > 27 "TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_256_CBC_SHA", > 28 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", > "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", > 29 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", > "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" > 30 }; > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)