Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

SonarLint best practice for "hard coded password" false positives

Tags:

java

sonarlint

SonarLint flags as blockers some variables in my code base. Ones like public static final String INVALID_PASSWORD = "Your password is invalid.";

SonarLint thinks that the variable might contain a hard coded password, which is a security risk. But in this case, the variable does not contain a password, it contains a message about a password.

I also have some like public static final String INVALID_PASSWORD = "INVALID_PASSWORD";, that are codes rather than strings, which SonarLint also flags.

What's the best practice for "fixing" this type of issue? Two solutions that come to mind are renaming the variable, and using a @SupressWarnings("code here") annotation.

Does SonarLint itself have a recommendation for this issue? Is an there an industry best practice?

like image 996
Tim Avatar asked Mar 10 '18 23:03

Tim


1 Answers

You should be able to mute the Sonar issue with something like:

@SuppressWarnings("squid:S2068") // This is not an hard coded password.

Annotated over the culprit.

like image 142
Romano Avatar answered Sep 29 '22 11:09

Romano