Hello, in my project (mainly Java/Spring) I get a secrets:S6703 (“Make sure this database password gets changed and removed from the code”) and java:S6437 (" Revoke and change this password, as it is compromised") on a properties file like this: spring.datasource.password={{spring_datasource_passw…

Thanks! I can confirm that we have an open ticket in our (private) backlog to tackle this false-positive. I will add your report to the list of feedback we’ve gotten, which helps us to prioritize. For now, you can mark the issue as a false-positive. :warning: Only the latest version of SonarQube …

secrets:S6703 & java:S6437 using Ansible variable with double curly brackets

Rules and Languages

Colin (Colin) April 9, 2025, 7:12am 2

Hey there.

What product(s) are you using, and what version?

Topic		Replies	Views
False positive for 'Password' detected in this expression, review this potentially hard-coded credential SonarQube Server / Community Build java , security , false-positive , bug-no-category	4	5105	April 16, 2025
False Positive squid:S2068 with @JMSPasswordCredential Report False-positive / False-negative... java	1	1017	January 29, 2019
False positives by rule "Credentials should not be hard-coded" SonarQube Server / Community Build java , bug-no-category	3	1468	January 4, 2019
"Database passwords should not be disclosed" not always detecting SonarQube Cloud database , security , secrets , appsec	4	1992	October 19, 2023
java:S6857 reporting for #{ expression using a variable Report False-positive / False-negative...	2	155	May 2, 2025

secrets:S6703 & java:S6437 using Ansible variable with double curly brackets

Related topics