Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix S2068 TP/FP: Stop raising issues for form credentials of web.config #7982

Open
hendrik-buchwald-sonarsource opened this issue Sep 7, 2023 · 0 comments
Open

Fix S2068 TP/FP: Stop raising issues for form credentials of web.config #7982

hendrik-buchwald-sonarsource opened this issue Sep 7, 2023 · 0 comments
Labels
Area: Security Related to Vulnerability and Security Hotspot rules Type: False Positive Rule IS triggered when it shouldn't be.

Comments

@hendrik-buchwald-sonarsource
Copy link

hendrik-buchwald-sonarsource commented Sep 7, 2023
edited
Loading

Description

In SONARXML-169 support for hardcoded clear-text credentials in web.config files was added. Now there is an overlap with the rule for sonar-dotnet, i.e. issues will be reported twice. So even though it is a true positive, it would be best if sonar-dotnet does not raise an issue for this specific case anymore.

There is also a false positive that is raised for the attribute passwordFormat that sets the password format.

Repro steps

<configuration>
  <system.web>
     <authentication mode="Forms">
      <forms>
        <credentials passwordFormat="Clear">  <!-- FP -->
          <user name="admin" password="password" />  <!-- unwanted TP -->
        </credentials>
      </forms>
    </authentication>
  </system.web>
</configuration>

Expected behavior

No issues should be raised in web.config files for children of <configuration><system.web><authentication mode="Forms"><forms> that contain attributes with a keyword like password.

Actual behavior

Issues are raised for <credentials passwordFormat="Clear"> and <user name="admin" password="password" />.
@hendrik-buchwald-sonarsource hendrik-buchwald-sonarsource added the Area: Security Related to Vulnerability and Security Hotspot rules label Sep 7, 2023
@hendrik-buchwald-sonarsource hendrik-buchwald-sonarsource changed the title Fix S2068 TP/FP: Issue title Fix S2068 TP/FP: Stop raising issues for form credentials of web.config Sep 7, 2023
@pavel-mikula-sonarsource pavel-mikula-sonarsource added Type: False Positive Rule IS triggered when it shouldn't be. and removed Type: Improvement labels Jun 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Area: Security Related to Vulnerability and Security Hotspot rules Type: False Positive Rule IS triggered when it shouldn't be.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pavel-mikula-sonarsource @hendrik-buchwald-sonarsource @zsolt-kolbay-sonarsource