SonarC# Credentials Should Not Be Hardcoded FP

We have many fields like

public const string FoundationMenuPasswordTable = "FoundationMenuPassword";

in our C# code and because the field name(or the literal which is assigned to the field) contains the word ‘password’ SonarC# raises False Positive issues, although this field does not contain any passwords, just the filed name that holds the password.

Hi @Alpay_KAPTAS, this rule just searches for the word password (you can configure that) in variable names and string literals, and is quite noisy. I would say it is more appropriate to be called Security Hotspot (that’s a new issue type in SonarQube, introduced in 7.3) because they highlight places that need attention and are noisy by nature. The best way to handle the problem is to mark the issue as False Positive or Won’t Fix in your SonarQube instance.

Hi @Alpay_KAPTAS,

I am marking this thread as answered. Please feel free to let us know if you think something is missing.


My question to that, is this a security vulnerability or nor? Why to use the password as a parameter name. Why can’t we use the different name and configure that parameter in config file as password.

public const string FoundationMenuPasswordTable = “FoundationMenuPassword”;

Rather than change in the code as -
public const string rule102 = “FoundationMenuPassword”;

In web.config file -
rule102 = FoundationMenuPasswordTable;

What do you all think about this?