JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

CodeSonar® 9.2p0 CONFIDENTIAL CodeSecure Inc
C and C++
Binaries

HARDCODED.AUTH : Hardcoded Authentication

Summary

A function that should have an authentication string passed in a particular argument position has been passed a hardcoded string.

Properties

Class Name Hardcoded Authentication
Significance security
Mnemonic HARDCODED.AUTH
Categories
CWE CWE:259 Use of Hard-coded Password
  CWE:318 Cleartext Storage of Sensitive Information in Executable
  CWE:540 Inclusion of Sensitive Information in Source Code
  CWE:547 Use of Hard-coded, Security-relevant Constants
  CWE:798 Use of Hard-coded Credentials
CERT-C CERT-C:MSC18-C Be careful while handling sensitive data, such as passwords, in program code
  CERT-C:MSC41-C Never hard code sensitive information
DISA-6r1 DISA-6r1:V-222642 The application must not contain embedded authentication data.
DISA-5r3 DISA-5r3:V-70363 The application must not contain embedded authentication data.
DISA-4r3 DISA-4r3:V-70363 The application must not contain embedded authentication data.
DISA-3r10 DISA-3r10:V-6156 The designer will ensure the application does not contain embedded authentication data.
OWASP-2017 OWASP-2017:A2 Broken authentication
  OWASP-2017:A5 Broken access control
  OWASP-2017:A6 Security misconfiguration
OWASP-2021 OWASP-2021:A1 Broken access control
  OWASP-2021:A5 Security misconfiguration
  OWASP-2021:A7 Identification and authorization failures
OWASP-2025 OWASP-2025:A01 Broken Access Control
  OWASP-2025:A02 Security Misconfiguration
  OWASP-2025:A07 Authentication Failures
Availability Available for C and C++.
Enabling Checks for this warning class are enabled by default. To disable them, add the following WARNING_FILTER rule to the project configuration file. 
WARNING_FILTER += discard class="Hardcoded Authentication"

Example 

#include <stdlib.h>
#include <stdio.h>
#include <windows.h>
#include <sqltypes.h>
#include <sqlext.h>
#include <sys/socket.h>

void setup_connection_hc(SQLCHAR *server_name, FILE *nmpasswd )
{
   HENV henv; 
   HDBC hdbc; 
   HSTMT hstmt;

   SQLAllocEnv(&henv);
   if( SQLAllocConnect(henv, &hdbc) == SQL_SUCCESS )
       (void)SQLConnectA(hdbc, /* Hardcoded Authentication warning issued here */
                         server_name, SQL_NTS, 
                         "alex",  SQL_NTS, 
                         "hunter2", SQL_NTS);
   // ...
   exit(0);
}

Notes

This class is defined using HARDCODED_ARGS_* rules in the general template configuration file, and covers many common procedures that take authentication parameters. For a full list, see the "Factory Settings" in the documentation for HARDCODED_ARGS_*.

Relevant Configuration File Parameters

This class is implemented using a HARDCODED_ARGS_* rule set in the general template configuration file.

The following configuration file parameters affect checks for this warning class.

 

To report problems with this documentation, please visit https://support.codesecure.com/.