Uploaded image for project: 'SonarSlang'
  1. SonarSlang
  2. SONARSLANG-474

Rule S2068: filter string literal that contains the wordlist item

    XMLWordPrintable

    Details

      Description

      The implementation of this rule highly rely on symbol names matching wordlist items to raise issues. The downside of this is that it raises many FPs when constants are used to avoid duplicated stings:

      • Go
        password := "Password"                // Compliant
        password = "[id='password']"          // Compliant
        password = "custom.password"          // Compliant
        password = "trustStorePassword"       // Compliant
        password = "connection.password"      // Compliant
        password = "/users/resetUserPassword" // Compliant
        
      • Ruby
        password = "Password"                # Compliant
        password = "[id='password']"          # Compliant
        password = "custom.password"         # Compliant
        password = "trustStorePassword"       # Compliant
        password = "connection.password"      # Compliant
        password = "/users/resetUserPassword" # Compliant
        
      • Apex
        String password = 'Password'; // Compliant
        String password = '[id=\'password\']'; // Compliant
        String password = 'custom.password'; // Compliant
        String password = 'trustStorePassword'; // Compliant
        String password = 'connection.password'; // Compliant
        String password = '/users/resetUserPassword'; // Compliant
        
      • Kotlin
        val password = "Password"                // Compliant
        val password = "[id='password']"          // Compliant
        val password = "custom.password"         // Compliant
        val password = "trustStorePassword"       // Compliant
        val password = "connection.password"      // Compliant
        val password = "/users/resetUserPassword" // Compliant
        
      • Scala
        val password = "Password"                 // Compliant
        val password = "[id='password']"          // Compliant
        val password = "custom.password"          // Compliant
        val password = "trustStorePassword"       // Compliant
        val password = "connection.password"      // Compliant
        val password = "/users/resetUserPassword" // Compliant
        

      In most string constants use cases the wordlist item is present in both the symbol name and the string value.
      The new approach is to avoid raising issues when the matched wordlist item is present in both symbol name and literal string value.
      Exception made for the following use cases that are still True Positives:

      • Go
        params := "user=admin&password=Password123" // Sensitive
        sqlserver := "pgsql:host=localhost port=5432 dbname=test user=postgres password=postgres" // Sensitive
        
      • Ruby
        params = "user=admin&password=Password123"   # Sensitive
        sqlserver = "pgsql:host=localhost port=5432 dbname=test user=postgres password=postgres"   # Sensitive
        
      • Apex
        String params = 'user=admin&password=Password123'; // Sensitive
        String sqlserver = 'pgsql:host=localhost port=5432 dbname=test user=postgres password=postgres'; // Sensitive
        
      • Kotlin
        val params = "user=admin&password=Password123"   // Sensitive
        val sqlserver = "pgsql:host=localhost port=5432 dbname=test user=postgres password=postgres"   // Sensitive
        
      • Scala
        val params = "user=admin&password=Password123"   // Sensitive
        val sqlserver = "pgsql:host=localhost port=5432 dbname=test user=postgres password=postgres"   // Sensitive
        

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              amelie.renard Amélie Renard
              Reporter:
              pierre-loup.tristant Pierre-Loup Tristant
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Due:
                Created:
                Updated:
                Resolved: