java:S5344 - Possible false positive

  • What language is this for?
    Java

  • Which rule?
    java:S5344 - Passwords should not be stored in plain-text or with a fast hashing algorithm

  • Why do you believe it’s a false-positive/false-negative?

SonarQube reports java:S5344 vulnerability, but when I inspect I see the encoder is actually the DelegatingPasswordEncoder based on BCryptPasswordEncoder, not default plain text.

  • Are you using
    SonarQube™ Community EditionVersion 8.9 (build 43852)

  • How can we reproduce the problem? Give us a self-contained snippet (best) or screenshot (good)

  @Autowired
  public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
    auth.userDetailsService(myUserServiceImpl);
    // SonarQube reports java:S5344 vulnerability here, but when I inspect I see the encoder is actually 
    // the DelegatingPasswordEncoder based on BCryptPasswordEncoder returned by the 
    // passwordEncoder() bean I defined a few lines below in the same class, not default plain text.
  }

  @Bean
  public PasswordEncoder passwordEncoder() {
    Map<String, PasswordEncoder> encoders = new HashMap<>();
    encoders.put("bcrypt", new BCryptPasswordEncoder());
    DelegatingPasswordEncoder passworEncoder = new DelegatingPasswordEncoder("bcrypt", encoders);
    passworEncoder.setDefaultPasswordEncoderForMatches(encoders.get("bcrypt"));
    return passworEncoder;
  }
1 Like

Hello Dario!

Thanks for the report. I believe the root cause for the false positive here is that the Java analyzer does not properly track the different ways Spring Boot can inject dependencies. (For instance, the analyzer will not raise an issue if you explicitly call auth.passwordEncoder(passwordEncoder()).

To better understand your situation, could you share a bit more of the relevant context? E.g. are these methods in the same class, how is the class defined/annotated, do you have additional config files that define how Spring handles the password encoder injection?