Skip to content

fix(security): Remove hardcoded default IQ Server credentials#289

Open
abhu85 wants to merge 1 commit intosonatype-nexus-community:mainfrom
abhu85:fix/security-vulnerabilities-2026-02-18
Open

fix(security): Remove hardcoded default IQ Server credentials#289
abhu85 wants to merge 1 commit intosonatype-nexus-community:mainfrom
abhu85:fix/security-vulnerabilities-2026-02-18

Conversation

@abhu85
Copy link

@abhu85 abhu85 commented Feb 19, 2026

Summary

This PR addresses security vulnerabilities related to hardcoded default credentials in nancy.

Security Fixes

Severity Issue CWE Fix
Critical Hardcoded default username admin CWE-798 Removed default, now required
Critical Hardcoded default token admin123 CWE-798 Removed default, now required
High Default HTTP server URL - Removed default, now required

Breaking Changes

IQ Server credentials are now required and must be provided via one of:

  • CLI flags: --iq-username, --iq-token, --iq-server-url
  • Environment variables: IQ_USERNAME, IQ_TOKEN, IQ_SERVER
  • Config file: ~/.iqserver/.iq-server-config

Files Changed

  • internal/cmd/iq.go - Removed hardcoded defaults, added validation

Testing

  • CI tests pass
  • Manual verification with explicit credentials
  • Verify error message when credentials missing

Fixes #288

Generated with Claude Code

@abhu85 abhu85 requested a review from bhamail as a code owner February 19, 2026 17:35
@paul-botsco-2-0 paul-botsco-2-0 bot added the 😧 commits missing verification Some commits are not signed - this must be resolved label Feb 19, 2026
@paul-botsco-2-0
Copy link

paul-botsco-2-0 bot commented Feb 19, 2026

Thanks for the contribution. Unfortunately some of your commits don't meet our standards. All commits must be signed and have author information set.

The commits to review are:

See Signed Commits.

@abhu85 abhu85 force-pushed the fix/security-vulnerabilities-2026-02-18 branch from a75714c to 7d6bdf1 Compare February 19, 2026 17:53
@paul-botsco-2-0 paul-botsco-2-0 bot added the 🧐 cla not signed The CLA needs to be signed label Feb 19, 2026
@paul-botsco-2-0
Copy link

paul-botsco-2-0 bot commented Feb 19, 2026

Thanks for the contribution. Before we can merge this, we need @abhu85 to sign the Contributor License Agreement

@paul-botsco-2-0 paul-botsco-2-0 bot added 😍 cla signed The CLA is signed and removed 🧐 cla not signed The CLA needs to be signed labels Feb 19, 2026
@abhu85 abhu85 force-pushed the fix/security-vulnerabilities-2026-02-18 branch from 7d6bdf1 to f702aa1 Compare February 23, 2026 09:38
@madpah
Copy link
Contributor

madpah commented Feb 23, 2026

Thanks for the PR @abhu85 - but for Sonatype Community Projects we require all commits to be signed - please see https://contribute.sonatype.com.

@abhu85 abhu85 force-pushed the fix/security-vulnerabilities-2026-02-18 branch from f702aa1 to 18f7f0e Compare February 23, 2026 09:47
@abhu85 @claude
fix(security): remove hardcoded default IQ credentials
7d9e066 
BREAKING CHANGE: IQ Server credentials are now required

Security fixes:
- Remove hardcoded default username 'admin' (CWE-798)
- Remove hardcoded default token 'admin123' (CWE-798)
- Remove default server URL 'http://localhost:8070'
- Add credential validation before IQ Server communication
- Mark iq-server-url as required flag

Users must now provide credentials via:
- CLI flags: --iq-username, --iq-token, --iq-server-url
- Environment variables: IQ_USERNAME, IQ_TOKEN, IQ_SERVER
- Config file: ~/.iqserver/.iq-server-config

Fixes sonatype-nexus-community#288

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@abhu85 abhu85 force-pushed the fix/security-vulnerabilities-2026-02-18 branch from 18f7f0e to 7d9e066 Compare February 23, 2026 09:48
@sonarqubecloud
Copy link

sonarqubecloud bot commented Feb 23, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@abhu85
Copy link
Author

abhu85 commented Feb 23, 2026

Hi, I've updated the commit with a verified signature. The commit is now signed with my SSH signing key registered on GitHub.

Could you please re-run the verification check? Thank you!

@abhu85
Copy link
Author

abhu85 commented Feb 23, 2026

@madpah Thanks for the heads up! I've now signed the commit with my SSH signing key that's registered on my GitHub account. The commit should show as "Verified" now. Please let me know if there's anything else needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bhamail bhamail Awaiting requested review from bhamail bhamail is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

😧 commits missing verification Some commits are not signed - this must be resolved 😍 cla signed The CLA is signed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[SECURITY] Multiple Vulnerabilities Including Hardcoded Default Credentials

2 participants

@abhu85 @madpah