Credentials should not be hard-coded - Prepared statement

Version: SonarQube 7.9.1
Rule: Credentials should not be hard-coded
Message: password’ detected in this expression, review this potentially hard-coded credential.
Source:

try (PreparedStatement pst = conn.prepareStatement("UPDATE admins2 SET ad_password=? WHERE ad_id=?")) {
	pst.setString(1, SimpleCrypto.hashPassword(pwd));
	pst.setInt(2, id);
	pst.executeUpdate();
}

I think this is the correct mode to update passwords, using PreparedStatement.

Other false positive example using JPA:

TypedQuery<PartnerEntity> q = em.createQuery("SELECT p FROM PartnerEntity p WHERE p.loginName=:loginName AND p.password=:password", PartnerEntity.class);

q.setParameter("loginName", loginName);
q.setParameter("password", hashedPassword);

Hello @Tamas_Barta, thanks for the feedback.

I agree that these two samples should not raise an issue, and in fact, we recently worked on improving this rule and such cases are no longer reported!

Upgrading SonarJava to 6.1 (most recent version) should remove these FP.

Best,
Quentin

Thank you, it solved.

1 Like