We've hardcoded username & Pasword in Login Component but SonarCloud didn't found Security Hotspot

Rules and Languages New rules / language support
, ,
1

We have Hardcoded The username & Pawword in the Login.Vue Component But SonarCloud found any Security HotSpots
Can we know the reason ?
Our code is something like below

 <form class="pt-0 mt-0" @submit.prevent="login">
              <div class="mb-4">
                <label for="username" class="form-label">Username/Email</label>
                <input
                  type="text"
                  class="form-control test"
                  id="username" value="Asdfggh"
                  v-model="loginReqBody.Username"
                />
              </div>
              <div class="mb-4">
                <label for="password" class="form-label">Password</label>
                <input
                  type="password"
                  class="form-control test"
                  id="password" value="Vxceeccc@1234"
                  v-model="loginReqBody.Password"
                />
              </div>
              <div class="d-grid">
                <button type="submit" class="btn btn-primary mt-0" :disabled="showLoader">
                  Login
                </button>
              </div>
            </form>

And we also Has the same code in comments as well, It supposed catch the Security Hotspots right ?

Can we understand why the Security Hotspots are not catched in the Component ? And also let us know if we are missing any settings/Configuration…

1 Like
2

Hi,

Could you share the ID of the rule you’re expecting to catch this, please?

 
Thx,
Ann

3

Hi Ann,

We were using User name and Password Inputs inside login form in which we have the Username and Password values hardcoded and also we have one more login form with Username and Password Input tags inside Comments in the same component…

My Query is why the Hardcoded Username and Password values for the Username and password inputs are not caught as Vulnerability/ Security Hotspots.

Also, What do you mean by the “ID of the Rule”.? Please help us understand if something related to SonarCloud settings/Configuration

Thanks
Ronanki

4

Hi Ronanki,

You seem to be reporting a False Negative: my code does X and your rule doesn’t catch it.

What I’m looking for is a way to know specifically which rule you expected to raise the issue or Security Hotspot. It will have the form of S1234.

Or are you saying that you don’t have a specific rule in mind, you just expected this to be caught?

 
Ann

5

Hi Ann,

The question is not about any specific rules or something… When there is Sensitive data like usernames and Passwords hardcoded in the inputs directly in the component they are not watched as vulnerable in the git repo.

Below are the hard-coded values in the Input tags

Username - “JohnDoe”
Password - “John@1234”

For example the code like the below:

<input type="text" class="form-control " id="username" value="JohnDoe"/>
<input type="password" class="form-control " id="password" value="John@1234"/>

Hope you understand my query now. Thanks for the quick response.

Regards,
Ronanki

8

Hi Ronanki,

I think we haven’t considered this use case. I pinged the team if they would be interested in it.