SonarCloud not catching intentional hard-coded password

treygourley · September 25, 2019, 12:28pm

I have SonarCloud setup to run against a test ASP.NET MVC application. I have intentionally added a hard-coded password to see if the scan would pick it up.

SonarCloud Project Dashboard: https://sonarcloud.io/dashboard?id=Trey-Gourley_sonarcloudtest

In the C# Program.cs source file, I added a line of code:

string password = "this_should_not_be_here"

I was hoping it would get caught by the security rule “Credentials should not be hard-coded” https://rules.sonarsource.com/csharp/type/Vulnerability/RSPEC-2068

It caught a couple of code smells in the Program.cs file (and one bug in the project), but it didn’t catch that error. It also didn’t show that it skipped that line either (though there were a couple of other lines that were skipped by the scan.)

duncanp · September 27, 2019, 10:44am

Hi @treygourley.

It looks like your project is being classified as a test project so it won’t analysed.

Have a look at this post for the list of criteria the scanner uses to classify projects as test or product code.

treygourley · September 27, 2019, 8:46pm

@duncanp That was it.

I initially put in the property group to set the web project:
< SonarQubeTestProject>false< /SonarQubeTestProject>
…but that didn’t seem to fix the issue.

When I removed all references to “Test” from the solution and project names that fixed the issue and it caught the hard-coded password.

Thanks!

robatilho · March 1, 2022, 11:56pm

@treygourley Did you ever find a better work around rather than removing test projects from the solution? I ran into this same issue.

It’s not ideal to have to remove test projects from a solution because I can’t run unit tests and capture code coverage.