We are getting security tooling reports because
JavaMailSender.setPassword(String s)
exists, and thus the password can not be guaranteed to be cleared from memory. If the the api was changed/added to take
JavaMailSender.setPassword(char[] c)
Then the array could be Arrays.fill(c, 0);
when done.
Comment From: bclozel
Thanks for reaching out.
We would need to later convert it... back to a String in order to call https://jakarta.ee/specifications/mail/1.6/apidocs/javax/mail/service#connect-java.lang.String-int-java.lang.String-java.lang.String-.
So I guess we can't really consider that until the spec is changed.