Uploaded image for project: 'SonarJava'
  1. SonarJava
  2. SONARJAVA-3252

Rule S2068: filter String literals that contain the wordlist item

    XMLWordPrintable

    Details

    • Type: False-Positive
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 6.1
    • Component/s: Rules
    • Labels:

      Description

      The implementation of this rule highly rely on symbol names matching wordlist items to raise issues. The downside of this is that it raises many FPs when constants are used to avoid duplicated stings:

      String password = "Password"; // Compliant
      String pwd = "pwd"; // Compliant
      
      public class S2068 {
      
        private static final String PASSWORD = "Password"; // Compliant
        private static final String PASSWORD_INPUT = "[id='password']"; // Compliant
        private static final String PASSWORD_PROPERTY = "custom.password"; // Compliant
        private static final String TRUSTSTORE_PASSWORD = "trustStorePassword"; // Compliant
        private static final String CONNECTION_PASSWORD = "connection.password"; // Compliant
        private static final String RESET_PASSWORD = "/users/resetUserPassword"; // Compliant
      
      // ...
      }
      

      Here is a few other use case where wordlist item in both side of a key/value pair:

      my.setProperty("password", "password"); // Compliant
      env.put("password", "whateverpassword"); // Compliant
      props.put("password", "whateverpassword"); // Compliant
      

      In most string constants use cases the wordlist item is present in both the symbol name and the string value.
      The new approach is to avoid raising issues when the wordlist item is present in both symbol name and literal string value.
      Exception made for the following use cases that are still True Positives:

      String params = "user=admin&password=Password123"; // Sensitive
      String sqlserver = "pgsql:host=localhost port=5432 dbname=test user=postgres password=postgres"; // Sensitive
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              quentin.jaquier Quentin Jaquier
              Reporter:
              pierre-loup.tristant Pierre-Loup Tristant
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Due:
                Created:
                Updated:
                Resolved: