text:S6706 Generic Public Key Crypto Check - BEGIN PRIVATE KEY not being matched

spiltcoffee · September 23, 2024, 5:33am

Problem

SonarText isn’t flagging .pem files in my codebase that start with -----BEGIN PRIVATE KEY-----.

Ensured that the .pem file is in main code.
Tried using other possible patterns, such as -----BEGIN ENCRYPTED PRIVATE KEY-----.
- This is successfully matched, and an issue is raised by both the scanner, and Sonarlint.
After scouring the codebase for a while, tried adding a single space after -----BEGIN PRIVATE KEY-----.
- This is successfully matched, and an issue is raised by both the scanner, and Sonarlint.

jonas.wielage · September 23, 2024, 3:11pm

thanks for raising the issue you’re having, and thanks for already looking into the code.

You’re right, the addition of the space was a deliberate choice.
Due to technical reasons, we needed to differentiate the secret with a GCP secret.

At the time of implementation, we concluded that adding the space was a safe choice. Apparently, for you, it’s not working as intended.

I will collaborate with our Security Team to find a better solution.
You can track the effort in this ticket: S6706 should raise when there is no whitespace at the end of the first line.

Best,
Jonas

system · October 4, 2024, 8:14am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Running SonarQube with Docker will result in an error if the specified projectName contains spaces SonarQube Server / Community Build docker	4	52	November 15, 2024
False Positive: S955 Report False-positive / False-negative... cfamily	2	30	March 14, 2025
Copyright header regex not working SonarQube Server / Community Build cfamily	4	1716	May 11, 2020
Project or branch in report does not match the project or branch under which it was submitted SonarQube Cloud	9	612	July 15, 2024
False positive regex DoS vulnerability? SonarQube Server / Community Build sonarqube	3	7316	October 13, 2023