-
What language is this for?
Typescript -
Which rule?
S2068 -
Why do you believe it’s a false-negative?
Sonarqube does not detect security hotspots inside `` but detects them inside ‘’ and ““
Example:
not detectable
ApiUnSecure: () => `${ENV_VAR_API}/path?password=supersecretpassword`
detectable
ApiUnSecure: () => '${ENV_VAR_API}/path?password=supersecretpassword'
ApiUnSecure: () => "${ENV_VAR_API}/path?password=supersecretpassword"
-
Sonarqube version
I’m using SonarQube Server / Community Build - v24.12.0.100206 -
How can we reproduce the problem? Give us a self-contained snippet of code (formatted text, no screenshots)
snippet
// Insecure examples with hardcoded secrets
const API_ENDPOINTS = {
// detectable security hotspots by rule S2068
createEntityNotSecureSingle: () => '${BASE_API}/?password=supersecretpassword',
createEntityNotSecureDouble: () => "${BASE_API}?password=supersecretpassword",
// undetectable security hotspots by rule S2068
createEntityNotSecureBacktick: () => `${BASE_API}?password=supersecretpassword`,
};
export default API_ENDPOINTS;