No warnings about credentials in Nuget.conf

  • SonarCube Developer Edition 9.7

  • I would like to get a Vuln or Bug or Security Hotspot when when scanning a Nuget.conf file containing credentials.

The Nuget.conf file contains the configuration for the .Net package manager, and if such a file is checked in with a credential that is most likely a misstake that needs to be flagged or at least reviewed.

Currently we are getting no bug/vulnerability/Security Hotspot triggered with either sonarcube developer 9.7 or sonarcube lint.

Reference doc:

Example file.

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <packageSources>
    <add key="nuget.org" value="https://api.nuget.org/v3/index.json" protocolVersion="3" />
    </packageSources>
  <packageSourceCredentials>
    <Something>
      <add key="Username" value="NuGetter" />
      <add key="ClearTextPassword" value="xxxx" />
    </Something>
  </packageSourceCredentials>
</configuration>

Thanks
David

Hi @dak,

Thanks for your feedback.

Our Hard-coded credentials are security-sensitive rule does not support NuGet config files.

I have created an issue to handle this request.

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.