S2068 rule only detecting security hotspots inside single and double quote but not backticks

  • What language is this for?
    Typescript

  • Which rule?
    S2068

  • Why do you believe it’s a false-negative?

Sonarqube does not detect security hotspots inside `` but detects them inside ‘’ and ““

Example:

:x: not detectable

ApiUnSecure: () => `${ENV_VAR_API}/path?password=supersecretpassword` 

:white_check_mark: detectable

ApiUnSecure: () => '${ENV_VAR_API}/path?password=supersecretpassword'  
ApiUnSecure: () => "${ENV_VAR_API}/path?password=supersecretpassword"  
  • Sonarqube version
    I’m using SonarQube Server / Community Build - v24.12.0.100206

  • How can we reproduce the problem? Give us a self-contained snippet of code (formatted text, no screenshots)

snippet

// Insecure examples with hardcoded secrets
const API_ENDPOINTS = {
    // detectable security hotspots by rule S2068
    createEntityNotSecureSingle: () => '${BASE_API}/?password=supersecretpassword', 
    createEntityNotSecureDouble: () => "${BASE_API}?password=supersecretpassword",

    // undetectable security hotspots by rule S2068
    createEntityNotSecureBacktick: () => `${BASE_API}?password=supersecretpassword`,
};

export default API_ENDPOINTS;
1 Like

Hi @Moustafa_Atef_Saad,

Good catch! I checked the source code of S2068 and, as you suspected, it only considers string literals.

I opened a Jira ticket to make sure that the issue is fixed in the next release.

Thanks for the report.

Eric.

Hi Eric,

Thanks a lot for checking the issue and for your response
I could work on fixing this issue.
Could you guide me on how to contribute to the SonarJS?

Thank you for your feedback

BR,
Moustafa Atef Saad

Hey @Moustafa_Atef_Saad

While we are not actively seeking contributions, you can find our guide on contributing here.