c:S2068 dont detect hard coded password in macro definition

haziq · March 15, 2023, 2:15am

SonarQube Developer Edition 9.9.0.65466

#define DB_PASSWORD 	"secret"

This hard coded password is not detected. Please confirm whether this pattern should be detected or not since the rule does not explicitly state anything regarding macro definition.

haziq · March 16, 2023, 5:52am

I found this old open issue on adding evaluation for this pattern:
https://sonarsource.atlassian.net/browse/CPP-2852

Does this means password hardcoded in macro definition won’t be flagged by SonarQube?

ganncamp · March 16, 2023, 1:08pm

Hi,

Welcome to the community!

That ticket is still open, so the rule hasn’t been updated yet for your case.

HTH,
Ann

balazs.benics · March 16, 2023, 3:58pm

I mentioned this in the CPP-2852 ticket so that we don’t forget about this post. Thanks for raising this.

haziq · March 16, 2023, 9:19pm

Great, thanks!

system · March 23, 2023, 9:19pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
False positive for cpp:S1116 Report False-positive / False-negative... sonarqube , cfamily	5	1428	March 1, 2022
Hardcoded credentials in constants are not caught with SonarQube SonarQube Server / Community Build java , rules	1	31	October 29, 2024
Hardcoded Passwords Not Detected in .NET Project Scan SonarQube Cloud findbugs , clean-code , sonarqube-cloud	2	112	July 11, 2024
False positives by rule "Credentials should not be hard-coded" SonarQube Server / Community Build java	3	1394	January 4, 2019
Hardcoded secrets in YAML not detected SonarQube Server / Community Build sonarqube , scanner , secrets , yaml	2	24	April 17, 2025

c:S2068 dont detect hard coded password in macro definition

Related topics