Sonar Cube Cloud
We are getting comments on our Pull request scans. We run Azure Pipelines. The rule reacts to module references in our terraform code.
Hello Stine,
Thank you for your question!
Just from the screenshot it is really hard for me to understand where exactly an issue for S8135 is raised.
Can you maybe share another screenshot from SonarQube Cloud (e.g. when you click on the “See it in SonarQube Cloud” button from the screenshot)?
Is there actually a JWT in the code (or is there anything containing “eyJ” nearby)?
Thanks!
Daniel
Hi! Certainly! There is no actual JWT in the code. However when we look at it in Sonar Cube Cloud it has “inserted” it there somehow. Maybe something about the way it interprets the path to the module in Azure DevOps?
It is also something to note that this is triggering on old unchanged code. So this beta rule seems to not be refined enough. This is pure Terraform code (json), and the module references point to a URL in Azure DevOps where our modules are, so different repositories…
Thank you for your quick reply!
To me it seems that at scan time, the file was changed to include this token, maybe as part of the CI/CD that also triggers the scan?
Do you know if there are any build steps or transformation run on the code before scanning it?
I am very certain that it is not SonarQube Cloud that is injecting this token.
Please also review the token from the screenshot because it was not redacted from the (if it is a long-lived token I suggest to revoke it).
Best,
Daniel