Hardcoded credentials are not shown during the sonar scan

SonarQube Server / Community Build
1

Hello Team,

We are using sonar community edition 9.9.1 version installed through the zip file.
Below is our code in user_service.ts:

public accessToken() {
  const payload = new HttpParams()
  .set("username", "xxxx")
  .set("password", "xxxx");

Quality profile for this project is show as:
TypeScript Instance default [208] active rules and Hard-coded credentials are security-sensitive is present in this 208 rules under security hotspot.
But during the scan - hardcoded credentials is not getting caught. It says 0 security hotspot.

Am I missing anything here, pls help
Thanks,
Champa

4

Can some one please help me

6

Please be patient.

I created a topic, when can I expect a response?

This is an open community with people volunteering their free time to provide assistance. We’re eager to contribute to the community, but you are not guaranteed a fast response.

Be patient

  • Wait a few days before bumping a topic that hasn’t received a response.
  • Do not @name mention individuals not involved in the topic.

Contribute as much as you expect to receive

  • Contribute to the community (helping others) as much as you expect to receive help.
7

Hi @champa ,

Can you please explain what is the HttpParams class? Is it part of your project or an API of some library? As a general rule, S2068 supports some APIs, but it can not detect arbitrary calls.

8

Thanks for your reply.
httpsParams is imported from “angular/common/http”

image

10

Any update on this ticket?

11

Hi @champa,

The current implementation will not be able to detect HttpParams from Angular. I have created a ticket to improve the rule Jira.

Best,