Problem
SonarText isn’t flagging .pem
files in my codebase that start with -----BEGIN PRIVATE KEY-----
.
Steps
- Create a
.pem
file that begins with-----BEGIN PRIVATE KEY-----
- Scan codebase
Expected Behaviour
- An issue is raised on the first line of the file.
Actual Behaviour
- Nothing happens
What I’ve tried
- Ensured that the
.pem
file is in main code. - Tried using other possible patterns, such as
-----BEGIN ENCRYPTED PRIVATE KEY-----
.- This is successfully matched, and an issue is raised by both the scanner, and Sonarlint.
- After scouring the codebase for a while, tried adding a single space after
-----BEGIN PRIVATE KEY-----
.- This is successfully matched, and an issue is raised by both the scanner, and Sonarlint.
What I think the issue is
- The pattern for matching the key in this case has a space at the very end.
- This feels like a mistake to me, but after digging around for a while, I did find this comment which made it seem like the inclusion of a space was a deliberate choice??
Versions
- SonarQube: 10.6
- Scanner: 4.7.0.2747
- SonarText: 2.12
Deployment
- Via zip