Scanning configuration files

adil.irshad · September 7, 2022, 3:22pm

Must-share information (formatted with Markdown):

which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
Enterprise Edition Version 9.6 (build 59041)
what are you trying to achieve
Scan config files part of the application, as developers te4nd to store sensitive data in plain text on config files
what have you tried so far to achieve this
Config files are not getting scanned. Need confirmation whether config files are supported.

ganncamp · September 7, 2022, 5:33pm

Hi,

Welcome to the community!

Your plain text files are being scanned, but probably only for bidirectional characters.

Can you share what file extensions you’re interested in, and what patterns (e.g. key=value) you expect to be analyzed?

Thx,
Ann

adil.irshad · September 8, 2022, 3:32pm

We are looking to scan .config files.
Patterns are,

Password=value
Key=value
key=“name” value=“value”

ganncamp · September 8, 2022, 6:00pm

Hi,

Thanks for the details. I’m going to ping internally on this (but I wouldn’t hold my breath if I were you).

Ann

mhinterseher · April 3, 2023, 7:41pm

.config files should be parsed as text as well as XML files. Also I’m trying to understand if and how SonarCloud password rules can be configured. e.g. rule “Hard-coded secrets are security-sensitive” (java:S6418) states:

Parameters

credentialWords Comma separated list of words identifying potential credentials
Default Value:
password,passwd,pwd

How can the SonarCloud default configurations be changed for credentialWords? Is this only supported in SonarQube? It would be great to have this in SonarCloud as well. The filter could also be extended with other defaults to find more secrets.
As OP mentioned developers often store secrets such as DB credentials, tokens, passwords, salts in .config files and there are rules for finding password strings in text files. As it turns out these rules are not applied to the files.
Thanks for your support.