Skip to content

SONARJAVA-6528 S2068, S6418, and S6437: Make use of common secret exclusion filter#5745

Open
pierre-loup-tristant-sonarsource wants to merge 1 commit into
masterfrom
plt/sonarjava-6528
Open

SONARJAVA-6528 S2068, S6418, and S6437: Make use of common secret exclusion filter#5745
pierre-loup-tristant-sonarsource wants to merge 1 commit into
masterfrom
plt/sonarjava-6528

Conversation

@pierre-loup-tristant-sonarsource

@pierre-loup-tristant-sonarsource pierre-loup-tristant-sonarsource commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Part of SONARJAVA-6528


Summary by Gitar

  • Dependency updates:
    • Upgraded analyzer-commons to version 2.25.0.4954.
  • Security checks improvements:
    • Integrated SecretClassifier into S2068, S6418, and S6437 to filter out known non-secret fake values.
    • Refactored AbstractHardCodedCredentialChecker to use SecretClassifier for identifying potential credentials instead of hardcoded lists and length checks.

This will update automatically on new commits.

@hashicorp-vault-sonar-prod

hashicorp-vault-sonar-prod Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

SONARJAVA-6528

String variable6 = "login=a&bazooka=xxx"; // Compliant, short value filter
String variable6_2 = "login=a&bazooka=xvxf6_gaa"; // Noncompliant

String variableNameWithBazookaInIt = "xxx"; // Compliant, , short value filter

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Quality: Typos in new test-fixture comments

A few of the newly added/modified explanatory comments contain typos:

  • HardCodedPasswordCheckCustom.java:20 and :28 both read // Compliant, , short value filter with a doubled comma.
  • HardCodedPasswordCheckSample.java:226 uses a triple-slash /// instead of // (myA.setProperty("password", "xxxxx"); /// Compliant, short value filter).

These are harmless to the check semantics (comments only) but worth cleaning up for consistency with the surrounding fixtures. Fix by removing the extra comma and the extra slash respectively.

Was this helpful? React with 👍 / 👎

@gitar-bot

gitar-bot Bot commented Jul 6, 2026

Copy link
Copy Markdown
Code Review 👍 Approved with suggestions 0 resolved / 1 findings

Refactors S2068, S6418, and S6437 to utilize the common secret exclusion filter. Address minor typos identified in the new test-fixture comments to finalize the implementation.

💡 Quality: Typos in new test-fixture comments

📄 java-checks-test-sources/default/src/main/java/checks/HardCodedPasswordCheckCustom.java:20 📄 java-checks-test-sources/default/src/main/java/checks/HardCodedPasswordCheckCustom.java:28 📄 java-checks-test-sources/default/src/main/java/checks/HardCodedPasswordCheckSample.java:226 📄 java-checks-test-sources/aws/src/main/java/checks/security/HardCodedCredentialsShouldNotBeUsedCheckSample.java:146

A few of the newly added/modified explanatory comments contain typos:

  • HardCodedPasswordCheckCustom.java:20 and :28 both read // Compliant, , short value filter with a doubled comma.
  • HardCodedPasswordCheckSample.java:226 uses a triple-slash /// instead of // (myA.setProperty("password", "xxxxx"); /// Compliant, short value filter).

These are harmless to the check semantics (comments only) but worth cleaning up for consistency with the surrounding fixtures. Fix by removing the extra comma and the extra slash respectively.

🤖 Prompt for agents
Code Review: Refactors S2068, S6418, and S6437 to utilize the common secret exclusion filter. Address minor typos identified in the new test-fixture comments to finalize the implementation.

1. 💡 Quality: Typos in new test-fixture comments
   Files: java-checks-test-sources/default/src/main/java/checks/HardCodedPasswordCheckCustom.java:20, java-checks-test-sources/default/src/main/java/checks/HardCodedPasswordCheckCustom.java:28, java-checks-test-sources/default/src/main/java/checks/HardCodedPasswordCheckSample.java:226, java-checks-test-sources/aws/src/main/java/checks/security/HardCodedCredentialsShouldNotBeUsedCheckSample.java:146

   A few of the newly added/modified explanatory comments contain typos:
   - `HardCodedPasswordCheckCustom.java:20` and `:28` both read `// Compliant, , short value filter` with a doubled comma.
   - `HardCodedPasswordCheckSample.java:226` uses a triple-slash `///` instead of `//` (`myA.setProperty("password", "xxxxx"); /// Compliant, short value filter`).
   
   These are harmless to the check semantics (comments only) but worth cleaning up for consistency with the surrounding fixtures. Fix by removing the extra comma and the extra slash respectively.

Options

Auto-apply is off → Gitar will not commit updates to this branch.
Display: compact → Showing less information.

Comment with these commands to change the behavior for this request:

Auto-apply Compact
gitar auto-apply:on         
gitar display:verbose         

Was this helpful? React with 👍 / 👎 | Gitar

@sonarqube-next

sonarqube-next Bot commented Jul 6, 2026

Copy link
Copy Markdown

@asya-vorobeva asya-vorobeva left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💯

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @pierre-loup-tristant-sonarsource, looks great already! I made some suggestions inline on how to improve this, let me know if something feels off and/or unclear!

Comment on lines +35 to +36
static final String FINAL_SECRET_STRING = "hunter2"; // Compliant, fake value filter
static final String FINAL_SECRET_STRING_2 = "xvxf6_gaa";

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should one of the names indicate that it's a fake? Alas, that would balloon the diff :-(

SHA256.getHMAC((FINAL_SECRET_STRING).getBytes("UTF-8"), message); // Noncompliant
SHA256.getHMAC(new byte[]{(byte) 0xC, (byte) 0xA, (byte) 0xF, (byte) 0xE}, message); // Noncompliant
// FP should be filtered as short string value
SHA256.getHMAC(new byte[]{(byte) 0xC, (byte) 0xA, (byte) 0xF, (byte) 0xE}, message); // Noncompliant

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
SHA256.getHMAC(new byte[]{(byte) 0xC, (byte) 0xA, (byte) 0xF, (byte) 0xE}, message); // Noncompliant
SHA256.getHMAC(new byte[]{(byte) 0xC, (byte) 0xA, (byte) 0xF, (byte) 0xE}, message); // Noncompliant

This is about a hardcoded key for getHMAC, we probably should not suppress it?

// ^^^^^^^^^^^^^^^^^^^^^^>
request.login("user", plainTextSecret2); // Noncompliant
// ^^^^^^^^^^^^^^^^
request.login("user", new String("secret")); // Noncompliant

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Was this not already suppressed, even before SonarSource/sonar-analyzer-commons#418?

Comment on lines +130 to +131
// TP
Encryptors.delux("xvxf6_gaa".subSequence(0, 0), "salt"); // Noncompliant

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// TP
Encryptors.delux("xvxf6_gaa".subSequence(0, 0), "salt"); // Noncompliant
Encryptors.delux("xvxf6_gaa".subSequence(0, 0), "salt"); // Noncompliant

Comment on lines +128 to 129
// "password".subSequence(0, 0) cannot be resolved to the value "password" that should be filtered -> FPs
Encryptors.delux("password".subSequence(0, 0), "salt"); // Noncompliant

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// "password".subSequence(0, 0) cannot be resolved to the value "password" that should be filtered -> FPs
Encryptors.delux("password".subSequence(0, 0), "salt"); // Noncompliant
Encryptors.delux("password".subSequence(0, 0), "salt"); // Noncompliant, FP, subSequence is not resolved to a filtered "password" value.

I would follow the style where the comment for the marker is on the same line, but worth confirming how it is done elsewhere in the project.

String okApiKeyValue = "Spaces are UNEXPECTED 012 345 678"; // Compliant
String tokenism = "(Queen's Partner's Stored Knowledge is a Minimal Sham)"; // Compliant
String tokenWithExcludedCharacters2 = "abcdefghij|klmnopqrs"; // Compliant
String tokenWithExcludedCharacters2 = "bacdefghij|klmnopqrs"; // Noncompliant

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Keep the original with a note why it's now compliant.

if("password".equals(auth)) {
}
if(auth.equals("password-1234")) {
if(auth.equals("password-2134")) {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think keeping the original should also work.

myA.setProperty("api-key", "bacdefghijklmnopqrs"); // Noncompliant
myA.setProperty("okapi-keyboard", "bacdefghijklmnopqrs"); // Compliant
myA.setProperty("secret", "X");
myA.setProperty("secret", "anonymous");

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should raise now?

Comment on lines -166 to -168
|| followingString.startsWith("?")
|| followingString.startsWith(":")
|| followingString.contains("%s");

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Given how many different checks this does, it has probably been tuned on purpose to exclude those sql named parameter looking strings, and I would be a bit hesitant to change the logic here. Maybe it's a good idea to do so though to keep it consistent, but perhaps we should still keep the anonymous case by moving it to the commons?


private static boolean isURLWithCredentials(String stringLiteral) {
if (URL_PREFIX.matcher(stringLiteral).find()) {
private static Optional<String> extractURLPassword(String url) {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any specific reason to use Optional instead of keeping the original form?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants