Scanning and rules not being applicable on application.properties file of a java project

Hi Team,
Please suggest the solution of problem given below at 3rd step:

  • Sonar Version sonarqube-9.9.1.69595 and Scanner version sonar-scanner-cli-4.8.0.2856-windows
  • System information (Operating system-Windows 11, Java version 17 , Database - PostgreSQL)
  • Facing the Issue in Scanning of a java project . Project is being scanned by sonar qube but the analysis report is not applying any rule on application.properties file which is having java and sql security hard coded ceredential. I want to check that after scanning for complete project does hard-coded credential rule apply or not. While the Hard coded credential is given there in application.properties file.

Thanks & Regards
Vikas Verma

Hello,

The behavior you are describing is the expected one even if it’s not the best.
As of now with SQ 9.9.1, Sonar scans for secrets only the files that are indexed by a given language analyzer. Because there is no analyzer dedicated to .properties files, these files are ignored by the Secret Detection engine.

This is something we would like to improve in the next versions.

Alex

Is there any update on the .properties file scanning?

Hey @Sohel_Ahmed

You may want to look at this thread:

What @Alexandre_Gigleux discusses here is applicable to SonarQube Server v10.3+ and SonarQube Cloud.