-
What language is this for?
Java -
Which rule?
java:S5344 - Passwords should not be stored in plain-text or with a fast hashing algorithm -
Why do you believe it’s a false-positive/false-negative?
SonarQube reports java:S5344 vulnerability, but when I inspect I see the encoder is actually the DelegatingPasswordEncoder based on BCryptPasswordEncoder, not default plain text.
-
Are you using
SonarQube™ Community EditionVersion 8.9 (build 43852) -
How can we reproduce the problem? Give us a self-contained snippet (best) or screenshot (good)
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(myUserServiceImpl);
// SonarQube reports java:S5344 vulnerability here, but when I inspect I see the encoder is actually
// the DelegatingPasswordEncoder based on BCryptPasswordEncoder returned by the
// passwordEncoder() bean I defined a few lines below in the same class, not default plain text.
}
@Bean
public PasswordEncoder passwordEncoder() {
Map<String, PasswordEncoder> encoders = new HashMap<>();
encoders.put("bcrypt", new BCryptPasswordEncoder());
DelegatingPasswordEncoder passworEncoder = new DelegatingPasswordEncoder("bcrypt", encoders);
passworEncoder.setDefaultPasswordEncoderForMatches(encoders.get("bcrypt"));
return passworEncoder;
}