I am trying to add hard coded token in order to install package but sonarqube didn’t picket hardcoded token as security hotspot. Below is code
index_string = f’–extra-index-url https://{token}@daimler.pkgs.visualstudio.com/_packaging/DataQualityFramework%40Local/pypi/simple/ {package}’
Below are rules set on quality gate
token is hardcoded in python file. COuld you please suggest how to do it?
Hi,
What edition and version of SonarQube are you using? If you’re not sure, you’ll find it in your page footer.
Ann
SonarQube Details:
Hi,
Thanks for those details. I’ve flagged this for the language experts.
Ann
The team has looked at what’s happening (or not happening) here and why.
If the URL was in the format https://username:password@site/, it would be detected correctly. However, as there is only a single value before the @, the URL is being treated as https://username@site/. URLs in this format, without an obvious password, are generally considered to be “safe” and will not trigger the rule.
I’ve added a ticket to the AppSec team’s backlog to improve support for hard-coded Azure DevOps credentials.
URL is https://{token}@site/. It is not username before @. How can we mark it vulnerability if token comes in URL before @?
Hi @Anish_Gupta,
You’ve resurrected a thread that’s 4 months old. Per the FAQ, please don’t do that. Please create a new thread with all your details.
Ann
