Vulnerability false positive for Blob Storage Emulator account key

Clean Code Report False-positive / False-negative...
,
1

For Azure Storage account key rule here:
https://sonar.prod.thomsonreuters.com/coding_rules?open=secrets%3AS6338&rule_key=secrets%3AS6338

There is a false positive trigger on Blob Storage Emulator storage account key. Our unit testing code hard codes in the blob storage emulator account key, but these are publicly available credentials that are used to connect to a locally running emulator so it is not a security threat. I would suggest putting in an exception to the rule for this specific account key so that it doesn’t trigger the vulnerability scanner.

Additional information about the emulator storage account including the account key: Use the Azure Storage Emulator for development and testing (deprecated) | Microsoft Learn
Use Azurite emulator for local Azure Storage development | Microsoft Learn

2

Hey there!

I don’t have access to your SonarQube instance. Can you please post the information requested in this post?

Specifically a self-contained snippet of code that produces the false-positive, and what version of SonarQube you’re using.

3

I had to register with my personal email because I couldn’t login to the forum with SAML. Here is the code snippet that triggers the vulnerability scanner:

   private const string StorageAccountName = "devstoreaccount1";
   private const string EmulatorHostName = "http://127.0.0.1:10000";
   private const string AccountKey = "Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==";

AccountKey
AccountKey1177×169 12.8 KB

4

It also might be worth noting that I can’t actually override the policy or mark it as a false positive on our scan, which is frustrating. I don’t know if this is just how our SonarQube instance is setup, I lack the permissions, or if it is something specific to this policy.

5

It looks like the version that we are using is SonarQube 9.9 LTS.

6

Thanks.

  • Good news, we now account for this key so we don’t raise an issue (as of August 2023) and is included in the latest version of SonarQube, v10.2
  • A user with Administer Issues permission on the project can mark the issue as a false-positive.