secrets:S6703 & java:S6437 using Ansible variable with double curly brackets

Rules and Languages
1

Hello,
in my project (mainly Java/Spring) I get a secrets:S6703 (“Make sure this database password gets changed and removed from the code”) and java:S6437 (" Revoke and change this password, as it is compromised") on a properties file like this:
spring.datasource.password={{spring_datasource_password}}
For me it should not be seen as an issue since it is not a password but the way Ansible uses “{{ var }}” for variables.
The value (password) will be set at deployment time.
Is there a way to not have this which look like a false positive to me?

Using Community Build v24.12.0.100206

2

Hey there.

What product(s) are you using, and what version?

3

Hey!
Sorry.
I have updated my question with these information

4

Thanks!

I can confirm that we have an open ticket in our (private) backlog to tackle this false-positive. I will add your report to the list of feedback we’ve gotten, which helps us to prioritize.

For now, you can mark the issue as a false-positive.

:warning: Only the latest version of SonarQube Community Build is considered active, so you’ll need to upgrade and see if the situation is still replicable before we can help you.

Your upgrade path is:

24.12 → 25.3

You may find these resources helpful:

5

Thank you very much Colin.
I’ll wait for the fix in a future release.

Best regards

6

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.