Heap Inspection is about sensitive information stored in the machine memory unencrypted, so that if an attacker performs a memory dump (for example, the Heartbleed bug), that information is compromised. Thus, simply holding that information makes it vulnerable.

堆检查是关于未加密存储在机器内存中的敏感信息，因此如果攻击者执行内存转储（例如 Heartbleed 错误），该信息将受到损害。因此，简单地持有该信息使其易受攻击。

One can mitigate this by storing such sensitive information in a secured manner, such as a GuardedString object instead of a String or a char array, or encrypting it and scrubbing the original short after.

可以通过以安全的方式存储此类敏感信息来缓解这种情况，例如使用 GuardedString 对象而不是 String 或 char 数组，或者对其进行加密并在短时间内清除原始信息。

For more information, see this CWE(describes C/C++ but same relevancy for Java).

有关更多信息，请参阅此 CWE（描述 C/C++，但与 Java 具有相同的相关性）。

See this answeron security.stackexchange.comfor the question "Is it more secure to overwrite the value char[] in a String".

有关“覆盖字符串中的值 char[] 是否更安全”这一问题，请参阅security.stackexchange.com上的此答案。

TLDR: You can't do much about it.

TLDR：您对此无能为力。

PS: As that is a sister stackexchange site, I am not copying the answer here (also, it is too long). If a moderator disagrees, fell free to copy/paste it.

PS：由于这是一个姊妹stackexchange站点，我没有在这里复制答案（而且，它太长了）。如果版主不同意，请随意复制/粘贴。

Example approach to store secret information in JVM memory

在 JVM 内存中存储机密信息的示例方法

IMHO you should use a SealedObjectto store credential data encrypted inside your JVM memory.

恕我直言，您应该使用 aSealedObject来存储在您的 JVM 内存中加密的凭证数据。

You need following packages:

您需要以下软件包：

• java.security.SecureRandom
• javax.crypto.Cipher
• javax.crypto.KeyGenerator
• javax.crypto.SealedObject
• javax.crypto.SecretKey

• java.security.SecureRandom
• javax.crypto.Cipher
• javax.crypto.KeyGenerator
• javax.crypto.SealedObject
• javax.crypto.SecretKey

So you create

所以你创造

• an initialized key generator which creates a secret key
• a cipher which is initialized by key and a secure random
• then you create a new sealed object using the cipher
• all storage and (temporary) loading of your credentials are done to/from the sealed object which replaces your char array.

• 一个初始化的密钥生成器，它创建一个秘密密钥
• 由密钥和安全随机数初始化的密码
• 然后你使用密码创建一个新的密封对象
• 您的凭据的所有存储和（临时）加载都是在密封对象之间完成的，该密封对象替换了您的字符数组。

A working example can be found at: https://github.com/Daimler/sechub/blob/develop/sechub-adapter/src/main/java/com/daimler/sechub/adapter/CryptoAccess.java

可以在以下位置找到工作示例：https: //github.com/Daimler/sechub/blob/develop/sechub-adapter/src/main/java/com/daimler/sechub/adapter/CryptoAccess.java

Checkmarx Heap Inspection Security VulnerabilityHi all, i faced this one when i have taken String type variable for password in my Spring application. Like below

Checkmarx 堆检查安全漏洞 大家好，当我在 Spring 应用程序中使用 String 类型变量作为密码时，我遇到了这个漏洞。像下面

  class User {
     private String username;
     private String password;
         //setter 
         //getter
     }

Then to resolve this issue I have done following steps : 1. Create SecureString class like below :

然后为了解决这个问题，我做了以下步骤： 1. 创建如下 SecureString 类：

   import java.security.SecureRandom;
   import java.util.Arrays;

   /**
    * This is not a string but a CharSequence that can be cleared of its memory.
    * Important for handling passwords. Represents text that should be kept
   * confidential, such as by deleting it from computer memory when no longer
   * needed or garbage collected.
   */

  /**
  * Created by Devendra on 16/04/2020
  */

  public class SecureString implements CharSequence {

    private final int[] chars;
    private final int[] pad;

    public SecureString(final CharSequence original) {
        this(0, original.length(), original);
    }

    public SecureString(final int start, final int end, final CharSequence original) {
        final int length = end - start;
        pad = new int[length];
        chars = new int[length];
        scramble(start, length, original);
    }

    @Override
    public char charAt(final int i) {
        return (char) (pad[i] ^ chars[i]);
    }

    @Override
    public int length() {
        return chars.length;
    }

    @Override
    public CharSequence subSequence(final int start, final int end) {
        return new SecureString(start, end, this);
    }

    /**
     * Convert array back to String but not using toString(). See toString() docs
     * below.
     */
    public String asString() {
        final char[] value = new char[chars.length];
        for (int i = 0; i < value.length; i++) {
            value[i] = charAt(i);
        }
        return new String(value);
    }

    /**
     * Manually clear the underlying array holding the characters
     */
    public void clear() {
        Arrays.fill(chars, '0');
        Arrays.fill(pad, 0);
    }

    /**
     * Protect against using this class in log statements.
     * <p>
     * {@inheritDoc}
     */
    @Override
    public String toString() {
        return "Secure:XXXXX";
    }

    /**
     * Called by garbage collector.
     * <p>
     * {@inheritDoc}
     */
    @Override
    public void finalize() throws Throwable {
        clear();
        super.finalize();
    }

    /**
     * Randomly pad the characters to not store the real character in memory.
     *
     * @param start start of the {@code CharSequence}
     * @param length length of the {@code CharSequence}
     * @param characters the {@code CharSequence} to scramble
     */
    private void scramble(final int start, final int length, final CharSequence 
    characters) {
        final SecureRandom random = new SecureRandom();
        for (int i = start; i < length; i++) {
            final char charAt = characters.charAt(i);
            pad[i] = random.nextInt();
            chars[i] = pad[i] ^ charAt;
        }
    }

}

1. Created custom property editor as :

   import java.beans.PropertyEditorSupport; import org.springframework.util.StringUtils;

   public class SecureStringEditor extends PropertyEditorSupport {
   
   
      @Override
       public String getAsText() {
          SecureString  value =(SecureString) getValue();
          SecureString  secStr = new SecureString(value);
           return (value != null) ? secStr.asString() : "";
       }
   
       @Override
       public void setAsText(String text) throws java.lang.IllegalArgumentException {
           if (StringUtils.isEmpty(text)) {
               setValue(null);
           } else {
               setValue(new SecureString(text));
           }
       }
   }
   

2. Register this custom property editor to spring-bean.xml file as :

2. 创建自定义属性编辑器为：

   导入 java.beans.PropertyEditorSupport; 导入 org.springframework.util.StringUtils;

   public class SecureStringEditor extends PropertyEditorSupport {
   
   
      @Override
       public String getAsText() {
          SecureString  value =(SecureString) getValue();
          SecureString  secStr = new SecureString(value);
           return (value != null) ? secStr.asString() : "";
       }
   
       @Override
       public void setAsText(String text) throws java.lang.IllegalArgumentException {
           if (StringUtils.isEmpty(text)) {
               setValue(null);
           } else {
               setValue(new SecureString(text));
           }
       }
   }
   

3. 将此自定义属性编辑器注册到 spring-bean.xml 文件为：