Java Hardcoded Connection Password
Description
Detects hardcoded database connection passwords in DataNucleus ORM configurations. Using hardcoded credentials in source code is a security risk as it can lead to credential exposure through source code access and makes credential rotation difficult.
Detection Strategy
• Check if DataNucleus ORM library is imported in the Java source code
• Identify calls to setConnectionPassword() method on JDOPersistenceManagerFactory objects
• Verify if the password parameter is provided as a string literal instead of being loaded from a secure configuration
• Report a vulnerability when database connection passwords are hardcoded in DataNucleus configuration code
Vulnerable code example
import org.datanucleus.api.jdo.JDOPersistenceManagerFactory;
public class DatabaseConfig {
private static final String HARDCODED_PWD = "secretpass123"; // Vulnerable: Hardcoded password as class constant
public void configureConnection() {
JDOPersistenceManagerFactory pmf = new JDOPersistenceManagerFactory();
pmf.setConnectionURL("jdbc:mysql://localhost:3306/db");...✅ Secure code example
import org.datanucleus.api.jdo.JDOPersistenceManagerFactory;
public class DatabaseConfig {
public void configureConnection() {
String dbPassword = System.getenv("DB_PASSWORD"); // Safe: Load password from environment variable
if (dbPassword == null) {
throw new IllegalStateException("Database password not configured"); // Fail securely if password not set
}...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.