Unable To Detect Hardcoded Password #2009
Comments
|
Hey @Vivek2406 👋, From your code: Write-Host "Hello, World!"
$password_test2 = "dummyPassword"
# Prompt the user for input
$password = Read-Host "Enter your input:"
# Display the user's input
Write-Host "You entered: $password"It looks like you're expecting PSSA to flag that a variable, the name of which contains the word As far as I know, there is no rule which currently exists to detect this within PSSA. The closest rule is It relies on people using the enumerated list of words ("Password", "Passphrase", "Cred", "Credential") in their parameter names (so For instance the below 2 parameters are both flagged: function MyFunc {
param (
[string]
$NotAPasswordIPromise,
[string]
$CreditAmount
)
}If you felt strongly about it, you could open this issue up for discussion with the wider community to gather other opinions - and then, if it's likely to be of benefit, put a PR together to get the rule in. Personally, I think this would be susceptible to the same false-positive and false-negative issues as with the current |
Hi Team,
I tried to run below command to get hardcoded password detected by tool. However tool could not detect it. Please Refer output file and input script file attached in zip file. Could you please advise why tool could not detect the password stored in the variable named 'password_test2' and how can we solve this problem?
Command:
Invoke-ScriptAnalyzer -Path .\Sample_PowerShellScript_WithHardcodedDummyPassword.ps1 | Export-Csv -Path ".\ouput_for_sample_script.csv" -NoTypeInformation
Sample_PowerShellScript_WithHardcodedDummyPassword.zip
Sample_PowerShellScript_WithHardcodedDummyPassword.zip
Thank and Regards,
Vivek Maurya
The text was updated successfully, but these errors were encountered: