S6703 with string interpolation causing false positive

The rule S6703 is causing a false positive when we are using string interpolation, here is an example of code:

string connectionString = $“Data Source={session.Data[“DATABASESERVER”]}; initial Catalog=master; User ID={session.Data[“DATABASELOGIN”]};Password={session.Data[“DATABASEPASSWORD”]};Application Name…”

Here we are using a class to obtain the password but SonarQube indicates a message “Make sure this database password gets changed and removed from the code.”

In the section “How can fix it” SonarQube suggests the same code using a string.format, we think that string interpolating is not supported by this rule.

Our Sonarqube verion is 10.2.1.78527.

Hi Eugenio,

thank you for your report! This rule is part of sonar-text (configuration) which uses regular expressions to search for passwords. As such, there are unfortunately cases like this where the detection does not work correctly. For now, I would recommend reviewing this issue as a false positive, but I will create an internal hardening ticket to try to filter out this edge case in the future.