Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"ruleKey": "S6437",
"hasTruePositives": true,
"falseNegatives": 62,
"falseNegatives": 61,
"falsePositives": 0
}
2 changes: 1 addition & 1 deletion its/vibebot/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<maven.compiler.release>21</maven.compiler.release>
<slf4j.version>1.7.30</slf4j.version>
<slf4j.version>1.7.36</slf4j.version>
</properties>
<dependencies>
<dependency>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -45,8 +45,8 @@ private void a(char[] pwd, String var) throws SQLException {
String query1_1 = "password=???"; // Compliant
// Password starting with "\"" are ignored
String query7 = "\"password=\""; // Compliant
// Password starting with ":" are reported
String query2 = "password=:password"; // Noncompliant
// Passwords starting with ":" are reported unless excluded by the fake value filter
String query2 = "password=:password"; // Compliant, fake value filter
String query3 = "password=:param"; // Noncompliant
// Password containing "%s" are ignored
String query5 = "password=%s"; // Compliant
Expand All @@ -73,8 +73,8 @@ private void a(char[] pwd, String var) throws SQLException {
String query13 = "password=anonymous\tuser=user"; // Noncompliant
String query14 = "password=anonymous\nuser=user"; // Noncompliant
String query15 = "password=something&user=user%s"; // Noncompliant
// Password starting with ":" are reported
String query16 = "passwordProtected password=:notAPassword"; // Noncompliant
// Passwords starting with ":" are reported unless excluded by the fake value filter
String query16 = "passwordProtected password=:notAPassword"; // Compliant, fake value filter

// ========== 1.2 Urls ==========
// Exclusions also apply when the password if found in an url
Expand Down Expand Up @@ -161,7 +161,7 @@ private void a(char[] pwd, String var) throws SQLException {
passphrase = "xvxf6_gaa".toCharArray(); // Noncompliant
passphrase = "whatever".toCharArray(); // Compliant, fake value filter
passphrase = "xvxf6_gaa".toCharArray(); // Noncompliant
passphrase = PASSED.toCharArray(); // Noncompliant
passphrase = PASSED.toCharArray(); // Compliant, fake value filter
passphrase = "".toCharArray();
passphrase = "X".toCharArray();
// Contains a fake password keyword: password
Expand All @@ -184,7 +184,7 @@ private void a(char[] pwd, String var) throws SQLException {
if("xvxf6_gaa".equals(password)) { // Noncompliant
// ^^^^^^^^
}
if(PASSED.equals(password)) { // Noncompliant
if(PASSED.equals(password)) { // Compliant, fake value filter
}
// Short password are ignored
if(password.equals("X")) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@ private void a(char[] secret, String var) throws SQLException {
String query6 = "secret=\"%s\""; // Compliant
String query7 = "\"secret=\""; // Compliant

String params1 = "user=admin&secret=Secret1023456789021345678"; // Noncompliant
String params1 = "user=admin&secret=Secret1023456789021345678"; // Compliant, fake value filter
String params2 = "secret=no\nuser=admin0213456789"; // Compliant
String sqlserver1= "pgsql:host=localhost port=5432 dbname=test user=postgres secret=bacdefghijklmnopqrs"; // Noncompliant
String sqlserver2 = "pgsql:host=localhost port=5432 dbname=test secret=no user=bacdefghijklmnopqrs"; // Compliant
Expand Down Expand Up @@ -123,10 +123,10 @@ private void a(char[] secret, String var) throws SQLException {
String secret018 = "&12&345678021345678021345&67801&"; // Noncompliant


// Don't filter when the secret is containing any of the secret word.
String secretConst = "Secret_0213456789021345678"; // Noncompliant
String secrets = "secret_0213456789021345678"; // Noncompliant
final String SECRET = "Secret_0213456789021345678"; // Noncompliant
// Values containing a fake-secret keyword are filtered.
String secretConst = "Secret_0213456789021345678"; // Compliant, fake value filter
String secrets = "secret_0213456789021345678"; // Compliant, fake value filter
final String SECRET = "Secret_0213456789021345678"; // Compliant, fake value filter
// Simple constants will be filtered thanks to the entropy check
final String SECRET_INPUT = "[id='secret']"; // Compliant
final String SECRET_PROPERTY = "custom.secret"; // Compliant
Expand Down
10 changes: 5 additions & 5 deletions pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -92,10 +92,10 @@
<!-- Compile and test against the latest plugin API. Runtime compatibility is validated independently. -->
<sonar.plugin.api.version>13.8.0.4399</sonar.plugin.api.version>
<sonar.scanner.version>13.4.1.4007</sonar.scanner.version>
<sonarlint.plugin.api.version>11.6.0.85952</sonarlint.plugin.api.version>
<sonarlint.plugin.api.version>11.7.0.86025</sonarlint.plugin.api.version>
<sonar.sca.exclusions>its/**,java-checks-test-sources/**</sonar.sca.exclusions>
<analyzer.commons.version>2.25.0.4954</analyzer.commons.version>
<orchestrator.version>6.1.0.3962</orchestrator.version>
<analyzer.commons.version>2.28.0.5085</analyzer.commons.version>
<orchestrator.version>6.3.1.4538</orchestrator.version>
<sslr.version>1.26.0.4194</sslr.version>
<argLine>-Xmx512m</argLine>
<gitRepositoryName>sonar-java</gitRepositoryName>
Expand All @@ -105,15 +105,15 @@
<artifactsToPublish>${project.groupId}:sonar-java-plugin:jar</artifactsToPublish>

<!-- Overrides parent pom to use a more recent version of jacoco -->
<version.jacoco.plugin>0.8.14</version.jacoco.plugin>
<version.jacoco.plugin>0.8.15</version.jacoco.plugin>

<mockito-core.version>5.23.0</mockito-core.version>
<test-java-agent-directory>${project.build.directory}/test-java-agent-libs</test-java-agent-directory>
<jacoco-agent-jar>org.jacoco.agent-${version.jacoco.plugin}-runtime.jar</jacoco-agent-jar>
<mockito-agent-jar>mockito-core-${mockito-core.version}.jar</mockito-agent-jar>

<!-- The product must work with the SLF4J provided in the Plugin API. -->
<slf4j.version>1.7.30</slf4j.version>
<slf4j.version>1.7.36</slf4j.version>
<!-- SonarLint Core, used in plugin ITs, requires new SLF4J. -->
<slf4j.test.version>2.0.18</slf4j.test.version>

Expand Down
Loading