False positive on L409 "Remove this hard-coded password."

5,764 views
Skip to first unread message

kuba.bo...@gmail.com

unread,
Dec 2, 2015, 9:36:15 AM12/2/15
to SonarQube
Hi,
 I'm getting a violation on below code:

        if (skipBcryptCompute) {
            hashedPassword = "";
        } else {
            hashedPassword = BCrypt.hashpw(plaintext, BCrypt.gensalt());
        }



Maybe exempt empty string literals from check -- leaking an empty string is hardly a security issue (unless you do actually use empty passwords, but then you've got bigger problems)

kuba.bo...@gmail.com

unread,
Dec 9, 2015, 3:11:35 PM12/9/15
to SonarQube, kuba.bo...@gmail.com
Hello? Anyone?

This seems to also be matching e.g. constants with column names:

public static final String COLUMN_WHERE_I_STORE_PASSWORD = "secretPassword";

Adam Gabryś

unread,
Dec 9, 2015, 4:12:08 PM12/9/15
to kuba.bo...@gmail.com, SonarQube, kuba.bo...@gmail.com
Hi,
The SonarQube can not “understand” whether you hardcoded password or use variable with “password” word.
This will be really hard to implement this (neural network?).
 
Now the rule mark as bug every variable with “password” in name and not blank value.
 
You should mark this as False Positive.
 
Regards,
    Adam Gabryś
--
You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/d067d786-a9f6-414a-bbe3-3e3a9d53689f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Jakub Bocheński

unread,
Dec 9, 2015, 4:18:35 PM12/9/15
to Adam Gabryś, SonarQube
So you accepted at least my first suggestion?
What version is this going to be included in?

Jakub Bocheński

--
You received this message because you are subscribed to a topic in the Google Groups "SonarQube" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/sonarqube/4Lzh158V2Mk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to sonarqube+...@googlegroups.com.
 To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/DUB124-DS20E46D843339C06E01025D98E80%40phx.gbl.

Adam Gabryś

unread,
Dec 9, 2015, 4:24:30 PM12/9/15
to Jakub Bocheński, SonarQube
Yes, I think that rule could ignore empty text.
 
But the decision belongs to SonarQube Java Team ;)
 
Regards,
    Adam Gabryś

kuba.bo...@gmail.com

unread,
Dec 10, 2015, 9:16:33 AM12/10/15
to SonarQube, kuba.bo...@gmail.com
Uh sorry for some reason I though this is an official response.
 
So what I should do now? They are not accepting JIRA issues either

kuba.bo...@gmail.com

unread,
Dec 29, 2015, 11:15:43 AM12/29/15
to SonarQube, kuba.bo...@gmail.com
Hello?
 Will somebody from sonar team respond to this?

I feel like a sucker - I've sent you 5 sensible, well documented reports of obvious problems and there is no reaction for weeks.

Brian Sperlongano

unread,
Dec 31, 2015, 4:06:10 PM12/31/15
to SonarQube
Just mark the issue as a false positive in your SonarQube instance.

Massimo Paladin

unread,
Jan 4, 2016, 5:55:28 AM1/4/16
to Brian Sperlongano, SonarQube
Hello,

I also think that in such case it is easier to mark it as false positive in SonarQube.

Security rules issues can raise false positives and need auditing,
in particular an empty string literal could show usage of empty password as you said.

Cheers,

Massimo PALADIN | SonarSource
Software Developer @ Language Team
http://sonarsource.com

To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/13138ec3-dd9c-4c02-a4f5-dbfc17bf9029%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages