A false negative issue about the security rule RSPEC-2647

Rules and Languages Report False-positive / False-negative...
1

Language: Java

Which rule: [RSPEC-2647]

SonarQube Server / Community Build version: sonarqube-25.6.0.109173

In the following code example 1, SonarQube should report a RSPEC-2647 warning at line 12. However, in the code example 2, SonarQube reports a RSPEC-2647 warning at line 11. These two examples are equivalent, so this is a false negative.

Minimized Code Example 1

import java.net.HttpURLConnection;
import java.net.URL;
import java.util.Base64;
class BasicAuth {
  public void foo(String apiUrl) throws Exception {
    String encoded = Base64.getEncoder().encodeToString("login:passwd".getBytes());
    URL url = new URL(apiUrl);
    HttpURLConnection conn = (HttpURLConnection) url.openConnection();
    conn.setRequestMethod("POST");
    conn.setDoOutput(true);
    final String auth = "Basic " + encoded;
    conn.setRequestProperty("Authorization", auth); // should report a warning,but no warnings
  }
}

Equivalent Code Example 2

import java.net.HttpURLConnection;
import java.net.URL;
import java.util.Base64;
class BasicAuth {
  public void foo(String apiUrl) throws Exception {
    String encoded = Base64.getEncoder().encodeToString("login:passwd".getBytes());
    URL url = new URL(apiUrl);
    HttpURLConnection conn = (HttpURLConnection) url.openConnection();
    conn.setRequestMethod("POST");
    conn.setDoOutput(true);
    conn.setRequestProperty("Authorization", "Basic " + encoded);  // report a warning
  }
}
2

Hey @Belle

Thanks for the report.

With SONARJAVA-4915, this rule has been deprecated, so I don’t think we’ll be coming back to it.

1 Like
3

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.