"Database passwords should not be disclosed" not always detecting


We ran into a problem where we have a .json file containing information such as

"DatabaseConfiguration": {
    /* --- MSSQL --- */ /*
    "ConnectionString": "Server=::<number>,<number>;Initial Catalog=<String>;User Id=<String>;Password=<Clear text String>;Integrated Security=false;Application Name=<String>;",

And i throws Make sure this database password gets changed and removed from the code, Database passwords should not be disclosed secrets:S6703.

The issues is that we have multiple json files containing similar information but they don’t get flagged with a security issue?

Our source code is in Bitbucket and we are using TeamCity pipelines to rune the sonarscanner.
We have 2 sonarscanners and its the same issue with both of them. We have dotnet-sonarscanner and sonarsource/sonar-scanner-cli


Welcome to the community and thank you very much for your Feedback.

In order to eliminate false positives, we do not trigger S6703 in some cases. Those exact cases depend on the version of SonarQube you are using. For example, we eliminate cases such as:

"DatabaseConfiguration": {
  "ConnectionString": "Server=::<number>,<number>;Initial Catalog=<String>;User Id=<String>;Password={PASSWORD_HERE};Integrated Security=false;Application Name=<String>;",


"DatabaseConfiguration": {
  "ConnectionString": "Server=::<number>,<number>;Initial Catalog=<String>;User Id=<String>;Password=PLACEHOLDER;Integrated Security=false;Application Name=<String>;",

We assume that those are not passwords in clear but are placeholders or are replaced at runtime. Maybe some of your JSON files are in those cases?

Best regards

1 Like

Hey Sebastian

Thank you for you quick reply.

In this case your assumption is correct, but what if they where not placeholders? Is there a way to show the false positives so we can manually mark them?

We are using SonarCloud and not SonarQube.

I assume it’s the same for csharpsquid:S2068 - “password” detected here, make sure this is not a hard-coded credential.?

Best regards

Hi Elias,

For S6703, there are different cases:

  • If the file is a test file or inside a test folder, the rule will not be triggered.
  • If the file contains placeholders or replacements, those will not be triggered.
  • In all other cases, the passwords or secrets will trigger the rule.

This behavior is not customizable. Secrets detection is in constant evolution as we add more kinds of secrets to our detections. We also do our best to minimize the level of false positives.

S2068, it is handled differently. S6703 triggers in various places including files that are not code (such as JSON files). S2068 is specific and customized for each language like C#. So S2068 does not have the same behavior as S2068 as the goal of each rule is different.

Best regards

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.