Hello Team,
One of our python projects hardcoded passwords in the code. But it is NOT flagged by sonar cloud scanner. Can you please help us to fix this issue.
Sonar Cloud Configuration:
Properties:
sonar.organization=my-org
sonar.projectKey=my-org_ample-python
sonar.sources=./src
sonar.host.url=https://sonarcloud.io
sonar.python.coverage.reportPaths=coverage.xml
sonar.python.version=3.11
sonar.token=SONAR_TOKEN
Quality Profile:
Python - Default: Sonar way
Code Sample:
File Name: main.py
def printHelloWorldMessage(theMessage="hello world"):
password = "Password1230909090"
Thanks
Hello @arun.gunasekaran,
First of all, thanks for the reporting.
The rule that could raise an issue in the snippet you’ve sent is the S2068
.
It doesn’t raise an issue because the string value matches one of the credentials words. This was designed to make the rule less noisy and reduce the number of false positives, e.g., when the value is used to get the program argument or an environment variable.
The possible way of making it raise an issue, in this case, is to change the credentialWords
configuration parameter for the rule from the default "password,passwd,pwd,passphrase"
to something like "password(?!\\d),passwd,pwd,passphrase"
.
We also have the S6437
rule checking for hardcoded credentials based on further value usages, e.g., passing it to a database connection setup.
Thanks,
Maksim Grebeniuk
1 Like