Sonar Secrets Plugins Support for SonarQube 9.9 LTS

Hello Team,

We are upgrading SonarQube from v8.9 to v9.9 LTS.
Due to Java version incompatibility, we discovered that the following plugins are not supported in the SonarQube 9.9 version.

sonar-secrets-java-1.3.0
sonar-secrets-javascript-1.3.0

Plugin Reference: GitHub - Skyscanner/sonar-secrets: SonarQube plugin for identifying hardcoded secrets, such as passwords, API keys, AWS credentials, etc..

Has anyone experienced a similar problem? If so, does anyone have a solution or advice?
Thank you!

Hi,

SonarQube offers secrets detection out of the box, and with 10.2 that functionality leapt forward. Are you sure you really still need the plugin?

 
Ann

Hi,

This announcement was posted before my earlier answer^ but I just now noticed it:

 
HTH,
Ann

Hi Ann,

In 9.9 LTS I see only 5 rules related to secrets. Do I need to upgrade to get the 60+ rules?

Hi @owais,

Welcome to the community!

Yes, to get the latest rules you’ll need to upgrade to the latest version.

Although to be clear, SonarQube 10.2 doesn’t have all those rules. They’ll be available in 10.3, E.T.A. early November.

 
Ann

1 Like

Thank you for the prompt response. Could you also confirm out of these 100+ rules, if there are any rules for flagging Private Keys, High Entropy String, Hardcoded Password and Hardcoded API Keys used in code

Hi,

You can get the full rule list here:

 
HTH,
Ann

Could you let me know when this list will be updated with all the upcoming rules? Or if there is a separate link for it?

Hi,

That’s the full list.

 
Ann

Got it, thank you.