MySQL connection password reported by SonarQube as compromised - What source of info?

SonarQube
1

We are using Community Edition Version 10.1 (build 73491).
Deployed on Docker.
We are using the Sonar Scanner extension.

We are evaluating SonarQube on a real-life case : our company corporate web site, which is based on Wordpress and developped by an external company. We got the source code and submitted it SonarQube.

In a PHP script, SonarQube fired a security issue with a compromised password in a connection to a MySQL database (this is part of WordPress). Our web supplier argues that it is a wrong warning from SonarQube and that the password is not compromised.

On my side, with the usual web tools I did not find this password as compromised neither.
Is it possible for SonarQube to double-check the reason of this alleged false positive or to explain which source SonarQube is using to determine that a password is compromised ?

Here is the SonarQube report on code vulnerability : " Revoke and change this password, as it is compromised."

Here is the piece of PHP code in question (I redacted the passowrd):

@$link = mysql_connect( '192.168.9.201', 'fw0680497194', '****REDACTED***' );

if ( ! $link ) {
	die( sprintf( "Could not connect to the MySQL server: %s\n", mysql_error() ) );
}

Thanks in advance/Jerome Toutee

2

The rule description explains why this issue is raised: PHP static code analysis | Vulnerability: Credentials should not be hard-coded

A hard-coded secret has been found in your code. You should quickly list where this secret is used, revoke it, and then change it in every system that uses it.

(…)

Keeping credentials in plain text in a code base is tantamount to sharing that password with anyone who has access to the source code and runtime servers.

SonarQube doesn’t actually check if your password has leaked online or something of that sort. The mere act of storing the password in the source code is a violation in itself.

3

Thank you Felipe, this is what I thought, but the text sent by SonarQube does very clearly say that the password is compromised and this is quite confusing, see what is precisely printed

Revoke and change this password, as it is compromised.

It also says that credentials shoul not be hard-coded, which is true, but why does it say that the password is compromised if this is not even verified ? We entered a dispute with our supplier because of this incorrect statement…

At the minimum, the text of the alert should be modified to remove any allusion on the fact that the password is compromised, as SonarQube is not verifying this.

Brgds/Jerome