SteveG
(Steve Grattan)
May 26, 2023, 3:47pm
1
Windows 10 Pro
Visual Studio 2022 17.5.5
The following error is being flagged by SonarCloud in our Azure DevOps build pipeline:
Cycode: Secret of type: ‘Generic Password’ was found.
However, the secret it is alluding to is in a SonarLint file. This file was added to the repo when I did the binding to SonarCloud in Visual Studio.
Is there a way to get rid of this false negative?
Colin
(Colin)
May 30, 2023, 10:12am
2
Hey there.
It seems like Cycode
here is providing that rule (probably by a Roslyn analyzer installed on your code).
And, it’s not a good idea to check SonarCloud credentials into the source code. You should consider that credential compromised and only keep that file locally.
duncanp
(Duncan Pocklington)
May 30, 2023, 2:02pm
3
Hi @SteveG ,
SonarLint for Visual Studio uses the Windows Credential Manager to store credentials, so they shouldn’t appear in any files.
Which SonarLint file are you seeing the credential in?
SteveG
(Steve Grattan)
June 2, 2023, 9:02am
4
Thanks for the response Duncan.
There’s a bunch of files generated in the .sonarlint folder. Ours is called vsosse_xxx.yyy_secrets_settings.json (obfusacted).
SonarCloud/Lint installation suggests we commit all files to our repo.
duncanp
(Duncan Pocklington)
June 2, 2023, 10:14am
5
@SteveG
See here: Is it safe to check Secrets/ProfileKey into source control? - #2 by duncanp
Is Cycode complaining about the contents of the file, or the fact that it has secrets
in the name?
SteveG
(Steve Grattan)
June 2, 2023, 11:40am
6
Here’s the actual message. Note this does not get included in the SonarCloud report just as part of the pull request. There are seven secrets in the file and so we have seven such error messages.
duncanp
(Duncan Pocklington)
June 2, 2023, 1:08pm
7
Thanks. In this case those Cycode issues are false-positives.
SteveG
(Steve Grattan)
June 2, 2023, 1:58pm
8
Ok, but can they be suppressed/ignored?