And i throws Make sure this database password gets changed and removed from the code, Database passwords should not be disclosed secrets:S6703.
The issues is that we have multiple json files containing similar information but they don’t get flagged with a security issue?
Our source code is in Bitbucket and we are using TeamCity pipelines to rune the sonarscanner.
We have 2 sonarscanners and its the same issue with both of them. We have dotnet-sonarscanner and sonarsource/sonar-scanner-cli
Welcome to the community and thank you very much for your Feedback.
In order to eliminate false positives, we do not trigger S6703 in some cases. Those exact cases depend on the version of SonarQube you are using. For example, we eliminate cases such as:
In this case your assumption is correct, but what if they where not placeholders? Is there a way to show the false positives so we can manually mark them?
We are using SonarCloud and not SonarQube.
I assume it’s the same for csharpsquid:S2068-“password” detected here, make sure this is not a hard-coded credential.?
If the file is a test file or inside a test folder, the rule will not be triggered.
If the file contains placeholders or replacements, those will not be triggered.
In all other cases, the passwords or secrets will trigger the rule.
This behavior is not customizable. Secrets detection is in constant evolution as we add more kinds of secrets to our detections. We also do our best to minimize the level of false positives.
S2068, it is handled differently. S6703 triggers in various places including files that are not code (such as JSON files). S2068 is specific and customized for each language like C#. So S2068 does not have the same behavior as S2068 as the goal of each rule is different.