Credentials should not be hard-coded - Prepared statement

Tamas_Barta · March 6, 2020, 10:46am

Version: SonarQube 7.9.1
Rule: Credentials should not be hard-coded
Message: password’ detected in this expression, review this potentially hard-coded credential.
Source:

try (PreparedStatement pst = conn.prepareStatement("UPDATE admins2 SET ad_password=? WHERE ad_id=?")) {
	pst.setString(1, SimpleCrypto.hashPassword(pwd));
	pst.setInt(2, id);
	pst.executeUpdate();
}

I think this is the correct mode to update passwords, using PreparedStatement.

Tamas_Barta · March 6, 2020, 10:51am

Other false positive example using JPA:

TypedQuery<PartnerEntity> q = em.createQuery("SELECT p FROM PartnerEntity p WHERE p.loginName=:loginName AND p.password=:password", PartnerEntity.class);

q.setParameter("loginName", loginName);
q.setParameter("password", hashedPassword);

Quentin · March 6, 2020, 1:05pm

Hello @Tamas_Barta, thanks for the feedback.

I agree that these two samples should not raise an issue, and in fact, we recently worked on improving this rule and such cases are no longer reported!

Upgrading SonarJava to 6.1 (most recent version) should remove these FP.

Best,
Quentin

Tamas_Barta · March 6, 2020, 3:06pm

Thank you, it solved.