Hard-coded passwords in appsettings.json not detected

  • ALM used Bitbucket Cloud
  • CI system used Bitbucket Cloud
  • Scanner command used when applicable
image: mcr.microsoft.com/dotnet/sdk:8.0

clone:
  depth: full              # SonarCloud scanner needs the full history to assign issues properly

definitions:
  caches:
    sonar: ~/.sonar/cache  # Caching SonarCloud artifacts will speed up your build
  steps:
    - step: &build-test-sonarcloud
        name: Build, analyze on SonarCloud
        caches:
          - dotnetcore
          - sonar
        script:
          - apt-get update && apt-get install --yes --force-yes openjdk-17-jre
          - dotnet tool install --global dotnet-sonarscanner
          - export PATH="$PATH:/root/.dotnet/tools"
          - dotnet sonarscanner begin /o:"$SONAR_ORG " /k:"$PROJECT_KEY" /d:"sonar.login=${SONAR_TOKEN}" /d:sonar.host.url="https://sonarcloud.io" /d:sonar.cs.dotcover.reportsPaths="**/*.dotcover"
          - dotnet build
          - dotnet sonarscanner end /d:"sonar.login=${SONAR_TOKEN}"
    - step: &build-test-sonarcloud-quality-gate
        name: Build, analyze and quality gate check on SonarCloud
        caches:
          - dotnetcore
          - sonar
        script:
          - apt-get update && apt-get install --yes --force-yes openjdk-17-jre
          - dotnet tool install --global dotnet-sonarscanner
          - export PATH="$PATH:/root/.dotnet/tools"
          - dotnet sonarscanner /d:"sonar.qualitygate.wait=true" begin /o:"$SONAR_ORG " /k:"$PROJECT_KEY" /d:"sonar.login=${SONAR_TOKEN}" /d:sonar.host.url="https://sonarcloud.io" /d:sonar.cs.dotcover.reportsPaths="**/*.dotcover"
          - dotnet build
          - dotnet sonarscanner end /d:"sonar.login=${SONAR_TOKEN}"


pipelines:
  branches:
    master:
      - step: *build-test-sonarcloud
  pull-requests:
    '**':
    - step: *build-test-sonarcloud-quality-gate
  • Languages of the repository: C#
  • Only if the SonarCloud project is public, the URL: not public

Following is the screenshot from the PR raised in bitbucket which has passwords:

However, the sonarcloud scan of that particular PR didn’t detect these passwords.

I can share the scan log file as private message.

Hi @Faheem_Husain,

Thanks for the feedback. The S2068 rule is not supporting yet the launchSettings.json files. I’ve added an issue for this.

However, we have other instances where passwords were detected.

Indeed. This is expected since appsettings.json files are supported.

The problem manifests for launchSettings.json since we did not implement support for them.

Noted. How can I follow this issue update? As I don’t have access to the above repo as well the issue?

My bad. I posted a link to our internal repository. This is the public link: sonar-dotnet/analyzers/src/SonarAnalyzer.Common/AnalysisContext/SonarCompilationReportingContext.cs at master · SonarSource/sonar-dotnet · GitHub

Regarding the issue, we are currently transitioning the project to Jira, and for a while, the JIRA project will be private. I have created a copy for you, that we will try to keep up to date: NET-357 S2068 does not consider `launchSettings.json` files · Issue #9675 · SonarSource/sonar-dotnet · GitHub

1 Like