SonarQube version: Enterprise Edition Version 10.3
Our team focuses on SAST scanners in Sonar itself, during this we have created a few basic checks, that we expected, can be caught by SonarQube during static scanning, but it was not caught.
For example, we have in our code example of potentially sensitive code, which potentially contains password in constant. At the same time, we have active rule (java:S6437) according to which, it should be identified as Vulnerability, but it doesn’t, please, see attached screenshot.
The question is: why it doesn’t caught by Sonarqube during scanning the whole code, including constants? Does this rule require some custom configurations?
SonarQube detects secrets by taking into account the context around the secret and the content of the secret to avoid raising false positives. We consider the code you provided as a true negative:
There is no context that provides Sonar with the kind of secret involved. For example, for spring, we will look for some text before the secret that contains datasource.
We intentionally reject passwords like password and test because most of the time, they are not actual passwords but test ones. We know that we will not detect some actual passwords doing so, but we prefer to avoid false positives.
