Conflicting requirements between csharpsquid:S2068 and secrets:S6703

We had a connection string in our C# API

“ReadOnlyConnectionString”: “Data ``Source=devservers.com``; Initial Catalog=DB; persist security info=True;User Id=admin;password=Database_Password_Here;MultipleActiveResultSets=True;App=EntityFramework;”

This was considered a violation of secrets:S6703

We updated the connectionstring to

“ReadOnlyConnectionString”: “Data ``Source=devservers.com``; Initial Catalog=DB; persist security info=True;User Id=admin;password={{DB_PW}};MultipleActiveResultSets=True;App=EntityFramework;”

Now secrets:S6703 passes but instead csharpsquid:S2068 fires.

We updated again to:

“ReadOnlyConnectionString”: “Data ``Source=devservers.com``; Initial Catalog=DB; persist security info=True;User Id=admin;MultipleActiveResultSets=True;App=EntityFramework;”

And neither fire but we need the password={{DB_PW}} in the connection string so we can replace it in our CI/CD Pipeline.

How do we avoid csharpsquid:S2068 firing on every config file.

Hello David and welcome to the community!

As you can see in https://sonarcloud.io/organizations/<your_org>/rules?open=csharpsquid%3AS2068, the {{placeholder}} pattern is not explicitly listed as a known compliant pattern. I understand that the mechanism you’re using to substitute the placeholder at the CI/CD time is not C#-native, right? How are you substituting the string?

I get the feeling that our rule is not seeing any C# runtime substitution pattern so it just assumes that the password is literally {{DB_PW}}. Which makes sense, because the code itself doesn’t contain any hint that this is indeed substituted.

Thats an Ansible variable pattern. But whatever pattern is acceptable to both csharpsquid:S2068 and secrets:S6703 would be fine. Theres any number of ways to resolve it in the pipeline I just can’t figure out how to get past both rules at the same time without removing the word password from the connection string.

SonarQube Cloud <your_org>/rules?open=csharpsquid%3AS2068
Doesn’t list any “known compliant” json entries they are all C# and this is appsettings.json

Password={{password}}    causes csharpsquid:S2068
Password=__password__    causes csharpsquid:S2068
Password=${DB_PASSWORD}  causes csharpsquid:S2068
Password=admin           causes csharpsquid:S2068 (IE Matching UserId per docs)

And I just realized I’m in the wrong Forum … sorry looks like I should be in Sonar Server can you move this or should I reopen it there?

Hello @DavidStrickland0, I have moved the topic to the Rules and Languages category, which is probably the most adequate one.

Okay, so it seems like csharpsquid:S2068 runs on appsettings.json but it doesn’t detect Ansible variables. Indeed the “secrets” rule is aware of Ansible patterns and stops firing, but the C# rule isn’t looking for such patterns. I think your best option here is to mark this finding as “false positive”, or perhaps to change the code to somehow split the secret out of appsettings.json and inject it at runtime, which aligns with the compliant examples we give (<sonarqube_url>/coding_rules?open=csharpsquid%3AS2068&rule_key=csharpsquid%3AS2068).