SONARJAVA-6528 S2068, S6418, and S6437: Make use of common secret exclusion filter#5745
SONARJAVA-6528 S2068, S6418, and S6437: Make use of common secret exclusion filter#5745pierre-loup-tristant-sonarsource wants to merge 1 commit into
Conversation
da498a5 to
7dc970a
Compare
| String variable6 = "login=a&bazooka=xxx"; // Compliant, short value filter | ||
| String variable6_2 = "login=a&bazooka=xvxf6_gaa"; // Noncompliant | ||
|
|
||
| String variableNameWithBazookaInIt = "xxx"; // Compliant, , short value filter |
There was a problem hiding this comment.
💡 Quality: Typos in new test-fixture comments
A few of the newly added/modified explanatory comments contain typos:
HardCodedPasswordCheckCustom.java:20and:28both read// Compliant, , short value filterwith a doubled comma.HardCodedPasswordCheckSample.java:226uses a triple-slash///instead of//(myA.setProperty("password", "xxxxx"); /// Compliant, short value filter).
These are harmless to the check semantics (comments only) but worth cleaning up for consistency with the surrounding fixtures. Fix by removing the extra comma and the extra slash respectively.
Was this helpful? React with 👍 / 👎
7dc970a to
8067e70
Compare
8067e70 to
d6658b5
Compare
Code Review 👍 Approved with suggestions 0 resolved / 1 findingsRefactors S2068, S6418, and S6437 to utilize the common secret exclusion filter. Address minor typos identified in the new test-fixture comments to finalize the implementation. 💡 Quality: Typos in new test-fixture comments📄 java-checks-test-sources/default/src/main/java/checks/HardCodedPasswordCheckCustom.java:20 📄 java-checks-test-sources/default/src/main/java/checks/HardCodedPasswordCheckCustom.java:28 📄 java-checks-test-sources/default/src/main/java/checks/HardCodedPasswordCheckSample.java:226 📄 java-checks-test-sources/aws/src/main/java/checks/security/HardCodedCredentialsShouldNotBeUsedCheckSample.java:146 A few of the newly added/modified explanatory comments contain typos:
These are harmless to the check semantics (comments only) but worth cleaning up for consistency with the surrounding fixtures. Fix by removing the extra comma and the extra slash respectively. 🤖 Prompt for agentsOptionsAuto-apply is off → Gitar will not commit updates to this branch. Comment with these commands to change the behavior for this request:
Was this helpful? React with 👍 / 👎 | Gitar |
|
teemu-rytilahti-sonarsource
left a comment
There was a problem hiding this comment.
Thank you @pierre-loup-tristant-sonarsource, looks great already! I made some suggestions inline on how to improve this, let me know if something feels off and/or unclear!
| static final String FINAL_SECRET_STRING = "hunter2"; // Compliant, fake value filter | ||
| static final String FINAL_SECRET_STRING_2 = "xvxf6_gaa"; |
There was a problem hiding this comment.
Should one of the names indicate that it's a fake? Alas, that would balloon the diff :-(
| SHA256.getHMAC((FINAL_SECRET_STRING).getBytes("UTF-8"), message); // Noncompliant | ||
| SHA256.getHMAC(new byte[]{(byte) 0xC, (byte) 0xA, (byte) 0xF, (byte) 0xE}, message); // Noncompliant | ||
| // FP should be filtered as short string value | ||
| SHA256.getHMAC(new byte[]{(byte) 0xC, (byte) 0xA, (byte) 0xF, (byte) 0xE}, message); // Noncompliant |
There was a problem hiding this comment.
| SHA256.getHMAC(new byte[]{(byte) 0xC, (byte) 0xA, (byte) 0xF, (byte) 0xE}, message); // Noncompliant | |
| SHA256.getHMAC(new byte[]{(byte) 0xC, (byte) 0xA, (byte) 0xF, (byte) 0xE}, message); // Noncompliant |
This is about a hardcoded key for getHMAC, we probably should not suppress it?
| // ^^^^^^^^^^^^^^^^^^^^^^> | ||
| request.login("user", plainTextSecret2); // Noncompliant | ||
| // ^^^^^^^^^^^^^^^^ | ||
| request.login("user", new String("secret")); // Noncompliant |
There was a problem hiding this comment.
Was this not already suppressed, even before SonarSource/sonar-analyzer-commons#418?
| // TP | ||
| Encryptors.delux("xvxf6_gaa".subSequence(0, 0), "salt"); // Noncompliant |
There was a problem hiding this comment.
| // TP | |
| Encryptors.delux("xvxf6_gaa".subSequence(0, 0), "salt"); // Noncompliant | |
| Encryptors.delux("xvxf6_gaa".subSequence(0, 0), "salt"); // Noncompliant |
| // "password".subSequence(0, 0) cannot be resolved to the value "password" that should be filtered -> FPs | ||
| Encryptors.delux("password".subSequence(0, 0), "salt"); // Noncompliant |
There was a problem hiding this comment.
| // "password".subSequence(0, 0) cannot be resolved to the value "password" that should be filtered -> FPs | |
| Encryptors.delux("password".subSequence(0, 0), "salt"); // Noncompliant | |
| Encryptors.delux("password".subSequence(0, 0), "salt"); // Noncompliant, FP, subSequence is not resolved to a filtered "password" value. |
I would follow the style where the comment for the marker is on the same line, but worth confirming how it is done elsewhere in the project.
| String okApiKeyValue = "Spaces are UNEXPECTED 012 345 678"; // Compliant | ||
| String tokenism = "(Queen's Partner's Stored Knowledge is a Minimal Sham)"; // Compliant | ||
| String tokenWithExcludedCharacters2 = "abcdefghij|klmnopqrs"; // Compliant | ||
| String tokenWithExcludedCharacters2 = "bacdefghij|klmnopqrs"; // Noncompliant |
There was a problem hiding this comment.
Keep the original with a note why it's now compliant.
| if("password".equals(auth)) { | ||
| } | ||
| if(auth.equals("password-1234")) { | ||
| if(auth.equals("password-2134")) { |
There was a problem hiding this comment.
I think keeping the original should also work.
| myA.setProperty("api-key", "bacdefghijklmnopqrs"); // Noncompliant | ||
| myA.setProperty("okapi-keyboard", "bacdefghijklmnopqrs"); // Compliant | ||
| myA.setProperty("secret", "X"); | ||
| myA.setProperty("secret", "anonymous"); |
| || followingString.startsWith("?") | ||
| || followingString.startsWith(":") | ||
| || followingString.contains("%s"); |
There was a problem hiding this comment.
Given how many different checks this does, it has probably been tuned on purpose to exclude those sql named parameter looking strings, and I would be a bit hesitant to change the logic here. Maybe it's a good idea to do so though to keep it consistent, but perhaps we should still keep the anonymous case by moving it to the commons?
|
|
||
| private static boolean isURLWithCredentials(String stringLiteral) { | ||
| if (URL_PREFIX.matcher(stringLiteral).find()) { | ||
| private static Optional<String> extractURLPassword(String url) { |
There was a problem hiding this comment.
Any specific reason to use Optional instead of keeping the original form?




Part of SONARJAVA-6528
Summary by Gitar
analyzer-commonsto version2.25.0.4954.SecretClassifierintoS2068,S6418, andS6437to filter out known non-secret fake values.AbstractHardCodedCredentialCheckerto useSecretClassifierfor identifying potential credentials instead of hardcoded lists and length checks.This will update automatically on new commits.