False Positive squid:S2068 with @JMSPasswordCredential

  • versions used
    ** SonarQube Developer Edition 7.4
    ** latest maven Scanner
    ** SonarJava 5.8)

Screenshot as sample:


Given that the field password is in an annotation, then the value passed to it is necessarily a constant and so in your case this is not a false positive : you do have an hardcoded password in your application that can easily be figured out by looking at your compiled classes.