False positive for 'Password' detected in this expression, review this potentially hard-coded credential

String.format("...authPassword=%s...", password);

is marked with the error in the title, while the password is not hard coded.


Can you clarify which version of SonarQube and Java analyzer you are using if you are not running SonarQube 8.5?


I’m using SonarQube Community Edition Version 7.5 (build 20543

SonarQube 7.5 is no longer maintained so nothing will be fixed for that version.
You should think about upgrading to SQ 8.5 where we did improvements to have the Security Hotspot S2068 raising less noise.