From 5baa95cc533e4b0c0c42880634e8f660b2116ac0 Mon Sep 17 00:00:00 2001 From: ford220102 <138443348+ford220102@users.noreply.github.com> Date: Wed, 15 Jul 2026 00:53:20 +0200 Subject: [PATCH] fix: Replace hardcoded AWS credentials with AnonymousCredentialsProvider in benchmark Security fix for java:S6263 - Long-term AWS access keys should not be used. Replaced hardcoded dummy credentials ("test"/"test") with AnonymousCredentialsProvider in V1CborRoundtripBenchmark. The benchmark uses a local mock server and does not require real AWS credentials. Using AnonymousCredentialsProvider makes this intent explicit and avoids the security hotspot. This change: - Eliminates the security warning for hardcoded credentials - Makes the code's intent clearer (no real AWS access needed) - Is safe for benchmark code that never contacts real AWS services --- .../benchmark/apicall/protocol/V1CborRoundtripBenchmark.java | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/test/sdk-benchmarks/src/main/java/software/amazon/awssdk/benchmark/apicall/protocol/V1CborRoundtripBenchmark.java b/test/sdk-benchmarks/src/main/java/software/amazon/awssdk/benchmark/apicall/protocol/V1CborRoundtripBenchmark.java index eb7dfccee20c..6581888d9d2f 100644 --- a/test/sdk-benchmarks/src/main/java/software/amazon/awssdk/benchmark/apicall/protocol/V1CborRoundtripBenchmark.java +++ b/test/sdk-benchmarks/src/main/java/software/amazon/awssdk/benchmark/apicall/protocol/V1CborRoundtripBenchmark.java @@ -41,6 +41,7 @@ import org.openjdk.jmh.annotations.TearDown; import org.openjdk.jmh.annotations.Warmup; import org.openjdk.jmh.infra.Blackhole; +import software.amazon.awssdk.auth.credentials.AnonymousCredentialsProvider; /** * V1 roundtrip benchmark for SmithyRpcV2 CBOR protocol using CloudWatch GetMetricData via HTTP servlet. @@ -65,10 +66,11 @@ public void setup() throws Exception { server = new ProtocolRoundtripServer(servlet); server.start(); + // Use AnonymousCredentialsProvider for local benchmark - no real AWS credentials needed client = AmazonCloudWatchClientBuilder.standard() .withEndpointConfiguration(new AwsClientBuilder.EndpointConfiguration( server.getHttpUri().toString(), "us-east-1")) - .withCredentials(new AWSStaticCredentialsProvider(new BasicAWSCredentials("test", "test"))) + .withCredentials(new AnonymousCredentialsProvider()) .build(); }