S2068 "password" flagged in XML incorrectly

Rules and Languages Report False-positive / False-negative...
1

Make sure to read this post before raising a thread here:

Then tell us:

  • What language is this for?
    XML
  • Which rule?
    S2068
  • Why do you believe it’s a false-positive/false-negative?
    its flagging any instance of password string, so something like enablePasswordRetrieval=“false” is being flagged
  • Are you using
    • SonarCloud?
      Yes I am using sonar cloud, but the warning is not being flagged there(and therefore can’t be set to ignore), instead it showing as a build warning(Dev Ops build) and failing the no new warnings gate.
    • SonarQube - which version?
    • SonarLint - which IDE/version?
      • in connected mode with SonarQube or SonarCloud?
        Connected mode
  • How can we reproduce the problem? Give us a self-contained snippet (best) or screenshot (good)
    Add xml element with following attr enablePasswordRetrieval=“false”

So my dev ops build of a .net website has started to flag S2068 in the web.config as a warning.
My feeling is it would be a false positive, when its not the “password” word alone.

If the consensus is, that it should be a warning, looking for suggestions of how to either edit the particular rule(is regex possible), ignore at the XML file level or get it flagged at the Sonarcloud level so I can ignore there?

Thanks
Kev

2

Hey there.

Can you give an example of a web.config file using this attribute?

3

Hi,

The AspNetSqlMembershipProvider has several instances.

<membership defaultProvider="AspNetSqlMembershipProvider">
			<providers>
				<clear />
				<add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="true" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="8" minRequiredNonalphanumericCharacters="1" passwordAttemptWindow="10"  />
			</providers>
		</membership>
6

Sorry misread, here is full web.config file.

<?xml version="1.0" encoding="utf-8"?>
<!--
  For more information on how to configure your ASP.NET application, please visit
  https://go.microsoft.com/fwlink/?LinkId=169433
  -->
<configuration>
  <system.web>
    <compilation debug="true" targetFramework="4.7.2" />
    <httpRuntime targetFramework="4.7.2" />
	  <membership defaultProvider="AspNetSqlMembershipProvider">
		  <providers>
			  <clear />
			  <add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="true" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="8" minRequiredNonalphanumericCharacters="1" passwordAttemptWindow="10" />
		  </providers>
	  </membership>
  </system.web>
  <system.codedom>
    <compilers>
      <compiler language="c#;cs;csharp" extension=".cs" type="Microsoft.CodeDom.Providers.DotNetCompilerPlatform.CSharpCodeProvider, Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=2.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" warningLevel="4" compilerOptions="/langversion:default /nowarn:1659;1699;1701" />
      <compiler language="vb;vbs;visualbasic;vbscript" extension=".vb" type="Microsoft.CodeDom.Providers.DotNetCompilerPlatform.VBCodeProvider, Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=2.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" warningLevel="4" compilerOptions="/langversion:default /nowarn:41008 /define:_MYTYPE=\&quot;Web\&quot; /optionInfer+" />
    </compilers>
  </system.codedom>
</configuration>
9

Hi Kevin,

Thanks for sharing your config! It is a simple rule that basically just checks if there is a string assigned to a variable (or attribute in this case) that contains password or some other keywords.

I have created an internal ticket to specify a solution for your specific case. I already have a few ideas. For now, I would just recommend to review the issue as a false-positive.

Best regards,
Hendrik

12

Thanks for the update Hendrik.

13

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.