Hello Team,

One of our python projects hardcoded passwords in the code. But it is NOT flagged by sonar cloud scanner. Can you please help us to fix this issue.

Sonar Cloud Configuration:

Properties:

sonar.organization=my-org
sonar.projectKey=my-org_ample-python
sonar.sources=./src
sonar.host.url=https://sonarcloud.io
sonar.python.coverage.reportPaths=coverage.xml
sonar.python.version=3.11
sonar.token=SONAR_TOKEN

Quality Profile:
Python - Default: Sonar way

Code Sample:
File Name: main.py

def printHelloWorldMessage(theMessage="hello world"):
    password = "Password1230909090"

Thanks

Hello @arun.gunasekaran,

First of all, thanks for the reporting.

The rule that could raise an issue in the snippet you’ve sent is the S2068.
It doesn’t raise an issue because the string value matches one of the credentials words. This was designed to make the rule less noisy and reduce the number of false positives, e.g., when the value is used to get the program argument or an environment variable.

The possible way of making it raise an issue, in this case, is to change the credentialWords configuration parameter for the rule from the default "password,passwd,pwd,passphrase" to something like "password(?!\\d),passwd,pwd,passphrase".

We also have the S6437 rule checking for hardcoded credentials based on further value usages, e.g., passing it to a database connection setup.

Thanks,
Maksim Grebeniuk