java:S6437 detects jasypt encrypted password as hard coded

adambir · May 28, 2024, 11:34am

Hello !

What language is this for? Java
Which rule? java:S6437
Why do you believe it’s a false-positive/false-negative? False positive
Are you using
- SonarCloud

okta:
  client:
    orgUrl: https://staging.okta.com
    token: ENC(+tIDGRE1oE1W8DNZtE9efVxCac8LMM3LUD0dlMvSGLqs0jrg7ilf4bhl+ZSWcp+xRHIs7qOlXIhpOoWLFscxaY=)
    user:
      groupNames: _sb_group
      userTypeName: _sb_user
    technician:
      groupNames: _sb_group
      userTypeName: _sb_user
  node: sb9

spring:
  datasource:
    password: ENC(0yNpzOSi8YyeVIytkEGeYxoTlsV+byfEwLi8EJ8z20Kv6X+/TCbD0U2jLjUrJrnn+A==)

    url: jdbc:postgresql://postgresql-sb:5432/_sb9?ssl=true&sslmode=require
    username: "_user"

The second encrypted password is detected as hard coded.

sebastien.andrivet · May 29, 2024, 8:57am

Hi @adambir ,
Thank you for your feedback. We currently do not support Jasypt, this is why a false positive is reported here. I have added an issue in our internal backlog to study the possibility of supporting Jasypt in the future.
Regards
Sebastien

system · June 18, 2024, 3:35pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.