Windows 10 Pro
Visual Studio 2022 17.5.5
The following error is being flagged by SonarCloud in our Azure DevOps build pipeline:
Cycode: Secret of type: ‘Generic Password’ was found.
However, the secret it is alluding to is in a SonarLint file. This file was added to the repo when I did the binding to SonarCloud in Visual Studio.
Is there a way to get rid of this false negative?
It seems like
Cycode here is providing that rule (probably by a Roslyn analyzer installed on your code).
And, it’s not a good idea to check SonarCloud credentials into the source code. You should consider that credential compromised and only keep that file locally.
SonarLint for Visual Studio uses the Windows Credential Manager to store credentials, so they shouldn’t appear in any files.
Which SonarLint file are you seeing the credential in?
Thanks for the response Duncan.
There’s a bunch of files generated in the .sonarlint folder. Ours is called vsosse_xxx.yyy_secrets_settings.json (obfusacted).
SonarCloud/Lint installation suggests we commit all files to our repo.
See here: Is it safe to check Secrets/ProfileKey into source control? - #2 by duncanp
Is Cycode complaining about the contents of the file, or the fact that it has
secrets in the name?
Here’s the actual message. Note this does not get included in the SonarCloud report just as part of the pull request. There are seven secrets in the file and so we have seven such error messages.
Thanks. In this case those Cycode issues are false-positives.
Ok, but can they be suppressed/ignored?