Hard-coded passwords in appsettings.json not detected

Faheem_Husain · September 29, 2024, 11:15am

ALM used Bitbucket Cloud
CI system used Bitbucket Cloud
Scanner command used when applicable

image: mcr.microsoft.com/dotnet/sdk:8.0

clone:
  depth: full              # SonarCloud scanner needs the full history to assign issues properly

definitions:
  caches:
    sonar: ~/.sonar/cache  # Caching SonarCloud artifacts will speed up your build
  steps:
    - step: &build-test-sonarcloud
        name: Build, analyze on SonarCloud
        caches:
          - dotnetcore
          - sonar
        script:
          - apt-get update && apt-get install --yes --force-yes openjdk-17-jre
          - dotnet tool install --global dotnet-sonarscanner
          - export PATH="$PATH:/root/.dotnet/tools"
          - dotnet sonarscanner begin /o:"$SONAR_ORG " /k:"$PROJECT_KEY" /d:"sonar.login=${SONAR_TOKEN}" /d:sonar.host.url="https://sonarcloud.io" /d:sonar.cs.dotcover.reportsPaths="**/*.dotcover"
          - dotnet build
          - dotnet sonarscanner end /d:"sonar.login=${SONAR_TOKEN}"
    - step: &build-test-sonarcloud-quality-gate
        name: Build, analyze and quality gate check on SonarCloud
        caches:
          - dotnetcore
          - sonar
        script:
          - apt-get update && apt-get install --yes --force-yes openjdk-17-jre
          - dotnet tool install --global dotnet-sonarscanner
          - export PATH="$PATH:/root/.dotnet/tools"
          - dotnet sonarscanner /d:"sonar.qualitygate.wait=true" begin /o:"$SONAR_ORG " /k:"$PROJECT_KEY" /d:"sonar.login=${SONAR_TOKEN}" /d:sonar.host.url="https://sonarcloud.io" /d:sonar.cs.dotcover.reportsPaths="**/*.dotcover"
          - dotnet build
          - dotnet sonarscanner end /d:"sonar.login=${SONAR_TOKEN}"


pipelines:
  branches:
    master:
      - step: *build-test-sonarcloud
  pull-requests:
    '**':
    - step: *build-test-sonarcloud-quality-gate

Languages of the repository: C#
Only if the SonarCloud project is public, the URL: not public

Following is the screenshot from the PR raised in bitbucket which has passwords:

However, the sonarcloud scan of that particular PR didn’t detect these passwords.

I can share the scan log file as private message.

costin.zaharia · September 30, 2024, 2:35pm

Hi @Faheem_Husain,

Thanks for the feedback. The S2068 rule is not supporting yet the launchSettings.json files. I’ve added an issue for this.

Faheem_Husain · October 1, 2024, 12:38pm

However, we have other instances where passwords were detected.

costin.zaharia · October 1, 2024, 12:45pm

Indeed. This is expected since appsettings.json files are supported.

The problem manifests for launchSettings.json since we did not implement support for them.

Faheem_Husain · October 1, 2024, 12:49pm

Noted. How can I follow this issue update? As I don’t have access to the above repo as well the issue?

costin.zaharia · October 1, 2024, 1:00pm

My bad. I posted a link to our internal repository. This is the public link: sonar-dotnet/analyzers/src/SonarAnalyzer.Common/AnalysisContext/SonarCompilationReportingContext.cs at master · SonarSource/sonar-dotnet · GitHub

Regarding the issue, we are currently transitioning the project to Jira, and for a while, the JIRA project will be private. I have created a copy for you, that we will try to keep up to date: NET-357 S2068 does not consider `launchSettings.json` files · Issue #9675 · SonarSource/sonar-dotnet · GitHub

holydude · November 1, 2024, 10:39am

In my case, hard-coded creds in appsettings.json file is not detected. I don’t have any exclusions for it. In the code navigation tab in sonarcloud, i could see the file being listed with lines of code marked as “-”. In the logs i could see this,

10:27:04.918 DEBUG: ‘a/b/Extraction/appsettings.json’ indexed with language ‘json’

I have lot of projects in sonar and for almost all projects, this file is not getting scanned for credentials.

Colin · November 1, 2024, 12:26pm

@holydude Feel free to start a new thread.