Heap Inspection Security Vulnerability

Question

I have run my java app against the checkmarx tool for security vulnerability and it is constantly giving an issue - Heap Inspection, for my password field for which I use a character array. It doesnt give any more explanation than just pointing out the declaration of the password field.

private char[] passwordLength;

Could anyone help me out here, what more can I look for resolving this?

Answer 1

Example approach to store secret information in JVM memory

IMHO you should use a SealedObject to store credential data encrypted inside your JVM memory.

You need following packages:

• java.security.SecureRandom
• javax.crypto.Cipher
• javax.crypto.KeyGenerator
• javax.crypto.SealedObject
• javax.crypto.SecretKey

So you create

• an initialized key generator which creates a secret key
• a cipher which is initialized by key and a secure random
• then you create a new sealed object using the cipher
• all storage and (temporary) loading of your credentials are done to/from the sealed object which replaces your char array.

A working example can be found at: https://github.com/Daimler/sechub/blob/3f176a8f4c00b7e8577c9e3bea847ecfc91974c3/sechub-commons-core/src/main/java/com/daimler/sechub/commons/core/security/CryptoAccess.java