SonarC# Credentials Should Not Be Hardcoded FP


(Alpay Kaptaş) #1

We have many fields like

public const string FoundationMenuPasswordTable = "FoundationMenuPassword";

in our C# code and because the field name(or the literal which is assigned to the field) contains the word ‘password’ SonarC# raises False Positive issues, although this field does not contain any passwords, just the filed name that holds the password.


(Valeri Hristov) #2

Hi @Alpay_KAPTAS, this rule just searches for the word password (you can configure that) in variable names and string literals, and is quite noisy. I would say it is more appropriate to be called Security Hotspot (that’s a new issue type in SonarQube, introduced in 7.3) because they highlight places that need attention and are noisy by nature. The best way to handle the problem is to mark the issue as False Positive or Won’t Fix in your SonarQube instance.


(Amaury Levé) #3

Hi @Alpay_KAPTAS,

I am marking this thread as answered. Please feel free to let us know if you think something is missing.

Cheers,
Amaury