text:S6706 Generic Public Key Crypto Check - BEGIN PRIVATE KEY not being matched

Problem

SonarText isn’t flagging .pem files in my codebase that start with -----BEGIN PRIVATE KEY-----.

Steps

  1. Create a .pem file that begins with -----BEGIN PRIVATE KEY-----
  2. Scan codebase

Expected Behaviour

  • An issue is raised on the first line of the file.

Actual Behaviour

  • Nothing happens

What I’ve tried

  • Ensured that the .pem file is in main code.
  • Tried using other possible patterns, such as -----BEGIN ENCRYPTED PRIVATE KEY-----.
    • This is successfully matched, and an issue is raised by both the scanner, and Sonarlint.
  • After scouring the codebase for a while, tried adding a single space after -----BEGIN PRIVATE KEY-----.
    • This is successfully matched, and an issue is raised by both the scanner, and Sonarlint.

What I think the issue is

Versions

  • SonarQube: 10.6
  • Scanner: 4.7.0.2747
  • SonarText: 2.12

Deployment

  • Via zip

Hi @spiltcoffee ,

thanks for raising the issue you’re having, and thanks for already looking into the code.

You’re right, the addition of the space was a deliberate choice.
Due to technical reasons, we needed to differentiate the secret with a GCP secret.

At the time of implementation, we concluded that adding the space was a safe choice. Apparently, for you, it’s not working as intended.

I will collaborate with our Security Team to find a better solution.
You can track the effort in this ticket: S6706 should raise when there is no whitespace at the end of the first line.

Best,
Jonas

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.