False positives by rule "Credentials should not be hard-coded"

SonarQube v6.7.4

Rule squid:S2068 (Credentials should not be hard-coded) produces several false-positives with ‘Blocker’ severity.

It catches constants like PAROL, SANDI. I am not sure what is so sensitive with these. Can someone pls explain ? Also, what other similar strings are so sensitive ? Are these listed somewhere ?


You are using a very old version of SonarJava. Latest release of the plugin is You should definitely update the analyzer, as you will benefit from rule improvement of tons of bugfixes, including improvement of rule S2068.

In particular, the 2 following ticket have been implemented since then, and fix the issue you are getting:


1 Like

Thanks Michael. True that SonarJava version that I am using might be old, but it is the default version which came along with SonarQube v6.7.4 (still the latest LTS version).

Hey @ankurja,

SonarQube LTS versions embed with them the latest released version of the analyzers at the time of the LTS release. That’s why LTS 6.7.4 only has version 4.15 of SonarJava by default. Other analyzers version are most probably quite old now as well.

SonarQube analyzers are usually following different life-cycles than SonarQube itself. Because they are plugins, they continue evolving and getting better with time, be continuously improved to remove bugs and False Positives. In the meantime, they are always going to continue being compatible with latest LTS.

I would strongly encourage you to keep analyzers up-to-date, even while staying with SQ LTS.