Skip to content

Commit 7dc970a

Browse files
S2068, S6418, and S6437: Make use of common secret exclusion filter
1 parent 550875c commit 7dc970a

14 files changed

Lines changed: 250 additions & 226 deletions

File tree

its/ruling/src/test/resources/jboss-ejb3-tutorial/java-S2068.json

Lines changed: 0 additions & 5 deletions
This file was deleted.
Lines changed: 1 addition & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,5 @@
11
{
2-
"org.regex-examples:regex-examples:src/main/java/org/regex/examples/RegexDatabase1.java": [
3-
749
4-
],
52
"org.regex-examples:regex-examples:src/main/java/org/regex/examples/RegexDatabase8.java": [
6-
727,
7-
1257
3+
727
84
]
95
}

java-checks-aws/pom.xml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -62,6 +62,10 @@
6262
<artifactId>commons-io</artifactId>
6363
<scope>test</scope>
6464
</dependency>
65+
<dependency>
66+
<groupId>org.sonarsource.analyzer-commons</groupId>
67+
<artifactId>sonar-analyzer-commons</artifactId>
68+
</dependency>
6569
<dependency>
6670
<groupId>org.sonarsource.analyzer-commons</groupId>
6771
<artifactId>sonar-analyzer-recognizers</artifactId>

java-checks-aws/src/main/java/org/sonar/java/checks/security/HardCodedCredentialsShouldNotBeUsedCheck.java

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,9 @@
2828
import org.sonar.java.annotations.VisibleForTesting;
2929
import org.sonar.java.checks.helpers.CredentialMethod;
3030
import org.sonar.java.checks.helpers.CredentialMethodsLoader;
31+
import org.sonar.java.checks.helpers.ExpressionsHelper;
3132
import org.sonar.plugins.java.api.IssuableSubscriptionVisitor;
33+
import org.sonarsource.analyzer.commons.appsec.SecretClassifier;
3234
import org.sonar.plugins.java.api.JavaFileScannerContext;
3335
import org.sonar.plugins.java.api.semantic.MethodMatchers;
3436
import org.sonar.plugins.java.api.tree.Arguments;
@@ -108,6 +110,10 @@ private void checkArguments(Arguments arguments, CredentialMethod method) {
108110
ExpressionTree argument = arguments.get(targetArgumentIndex);
109111
var secondaryLocations = new ArrayList<JavaFileScannerContext.Location>();
110112
if (isExpressionDerivedFromPlainText(argument, secondaryLocations, new HashSet<>())) {
113+
String value = ExpressionsHelper.getConstantValueAsString(argument).value();
114+
if (value != null && SecretClassifier.isKnownNonSecret(value)) {
115+
continue;
116+
}
111117
reportIssue(argument, ISSUE_MESSAGE, secondaryLocations, null);
112118
}
113119
}

java-checks-test-sources/default/src/main/files/non-compiling/checks/HardCodedPasswordCheckSample.java

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -8,8 +8,8 @@
88
class HardCodedPasswordCheckSample {
99

1010
private void a(char[] pwd, String var) throws SQLException {
11-
MyUnknownClass.myUnknownMethod("password", "xxxxx"); // Noncompliant
12-
MyUnknownClass.myUnknownMethod("other", "xxxxx"); // Compliant
11+
MyUnknownClass.myUnknownMethod("password", "xvxf6_gaa"); // Noncompliant
12+
MyUnknownClass.myUnknownMethod("other", "xvxf6_gaa"); // Compliant
1313
}
1414

1515
}

java-checks-test-sources/default/src/main/java/checks/HardCodedPasswordCheckCustom.java

Lines changed: 23 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -8,35 +8,40 @@ class HardCodedPasswordCheckCustom {
88
String fieldNameWithBazookaInIt;
99

1010
private void a(char[] pwd, String var) {
11-
String variable2 = "login=a&password=xxx"; // Compliant
12-
String variable3 = "login=a&passwd=xxx"; // Compliant
13-
String variable4 = "login=a&pwd=xxx"; // Compliant
14-
String variable5 = "login=a&marmalade=xxx"; // Noncompliant {{'marmalade' detected in this expression, review this potentially hard-coded password.}}
15-
// ^^^^^^^^^^^^^^^^^^^^^^^
16-
String variable6 = "login=a&bazooka=xxx "; // Noncompliant
17-
18-
String variableNameWithBazookaInIt = "xxx"; // Noncompliant
19-
// ^^^^^^^^^^^^^^^^^^^^^^^^^^^
20-
String variableNameWithmarMalAdeInIt = "xxx"; // Noncompliant
11+
String variable2 = "login=a&password=xvxf6_gaa"; // Compliant
12+
String variable3 = "login=a&passwd=xvxf6_gaa"; // Compliant
13+
String variable4 = "login=a&pwd=xvxf6_gaa"; // Compliant
14+
String variable5 = "login=a&marmalade=xxx"; // Compliant, short value filter
15+
String variable5_2 = "login=a&marmalade=xvxf6_gaa"; // Noncompliant {{'marmalade' detected in this expression, review this potentially hard-coded password.}}
16+
// ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
17+
String variable6 = "login=a&bazooka=xxx"; // Compliant, short value filter
18+
String variable6_2 = "login=a&bazooka=xvxf6_gaa"; // Noncompliant
19+
20+
String variableNameWithBazookaInIt = "xxx"; // Compliant, , short value filter
21+
String variableNameWithBazookaInIt_2 = "xvxf6_gaa"; // Noncompliant
2122
// ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
22-
String variableNameWithPwdInIt = "xxx"; // Compliant
23+
String variableNameWithmarMalAdeInIt = "xvxf6_gaa"; // Noncompliant
24+
// ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
25+
String variableNameWithPwdInIt = "xvxf6_gaa"; // Compliant
2326
String otherVariableNameWithPasswordInIt;
24-
fieldNameWithPasswordInIt = "xx"; // Compliant
25-
this.fieldNameWithBazookaInIt = "xx"; // Noncompliant
27+
fieldNameWithPasswordInIt = "xx";
28+
this.fieldNameWithBazookaInIt = "xx"; // Compliant, , short value filter
2629

2730

2831
HardCodedPasswordCheckCustom myA = new HardCodedPasswordCheckCustom();
29-
myA.setProperty("marmalade", "xxxxx"); // Noncompliant
30-
myA.setProperty("passwd", "xxxxx"); //Compliant
31-
myA.setProperty("pwd", "xxxxx"); // Compliant
32+
myA.setProperty("marmalade", "xxxxx"); // Compliant, short value filter
33+
myA.setProperty("marmalade", "xvxf6_gaa"); // Noncompliant
34+
myA.setProperty("marmalade", "marmalade"); // Compliant
35+
myA.setProperty("passwd", "xvxf6_gaa"); //Compliant
36+
myA.setProperty("pwd", "xvxf6_gaa"); // Compliant
3237

3338

34-
new PasswordAuthentication("userName", "1234".toCharArray()); // Compliant, handled by S6437
39+
new PasswordAuthentication("userName", "xvxf6_gaa".toCharArray()); // Compliant, handled by S6437
3540
new PasswordAuthentication("userName", pwd); // Compliant
3641
new PasswordAuthentication("userName", getPwd(var)); // Compliant
3742
new PasswordAuthentication("userName", var.toCharArray()); // Compliant
3843

39-
new OtherPasswordAuthentication("userName", "1234".toCharArray()); // Compliant
44+
new OtherPasswordAuthentication("userName", "xvxf6_gaa".toCharArray()); // Compliant
4045
}
4146

4247
private void setProperty(Object property, Object Value) { }

0 commit comments

Comments
 (0)