Skip to content

SONARJAVA-6528 S2068, S6418, and S6437: Make use of common secret exclusion filter#5745

Merged
pierre-loup-tristant-sonarsource merged 3 commits into
masterfrom
plt/sonarjava-6528
Jul 10, 2026
Merged

SONARJAVA-6528 S2068, S6418, and S6437: Make use of common secret exclusion filter#5745
pierre-loup-tristant-sonarsource merged 3 commits into
masterfrom
plt/sonarjava-6528

Conversation

@pierre-loup-tristant-sonarsource

@pierre-loup-tristant-sonarsource pierre-loup-tristant-sonarsource commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Part of SONARJAVA-6528


Summary by Gitar

  • Dependency updates:
    • Upgraded analyzer-commons to version 2.25.0.4954.
  • Security checks improvements:
    • Integrated SecretClassifier into S2068, S6418, and S6437 to filter out known non-secret fake values.
    • Refactored AbstractHardCodedCredentialChecker to use SecretClassifier for identifying potential credentials instead of hardcoded lists and length checks.

This will update automatically on new commits.

@hashicorp-vault-sonar-prod

hashicorp-vault-sonar-prod Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

SONARJAVA-6528

@pierre-loup-tristant-sonarsource pierre-loup-tristant-sonarsource force-pushed the plt/sonarjava-6528 branch 2 times, most recently from 8067e70 to d6658b5 Compare July 6, 2026 07:23

@asya-vorobeva asya-vorobeva left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💯

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @pierre-loup-tristant-sonarsource, looks great already! I made some suggestions inline on how to improve this, let me know if something feels off and/or unclear!

@gitar-bot

gitar-bot Bot commented Jul 9, 2026

Copy link
Copy Markdown
Code Review ✅ Approved 1 resolved / 1 findings

Integrates SecretClassifier into security rules S2068, S6418, and S6437 to improve credential filtering, while resolving typos in test-fixture comments. No issues found.

✅ 1 resolved
Quality: Typos in new test-fixture comments

📄 java-checks-test-sources/default/src/main/java/checks/HardCodedPasswordCheckCustom.java:20 📄 java-checks-test-sources/default/src/main/java/checks/HardCodedPasswordCheckCustom.java:28 📄 java-checks-test-sources/default/src/main/java/checks/HardCodedPasswordCheckSample.java:226 📄 java-checks-test-sources/aws/src/main/java/checks/security/HardCodedCredentialsShouldNotBeUsedCheckSample.java:146
A few of the newly added/modified explanatory comments contain typos:

  • HardCodedPasswordCheckCustom.java:20 and :28 both read // Compliant, , short value filter with a doubled comma.
  • HardCodedPasswordCheckSample.java:226 uses a triple-slash /// instead of // (myA.setProperty("password", "xxxxx"); /// Compliant, short value filter).

These are harmless to the check semantics (comments only) but worth cleaning up for consistency with the surrounding fixtures. Fix by removing the extra comma and the extra slash respectively.

Options

Auto-apply is off → Gitar will not commit updates to this branch.
Display: compact → Showing less information.

Comment with these commands to change the behavior for this request:

Auto-apply Compact
gitar auto-apply:on         
gitar display:verbose         

Was this helpful? React with 👍 / 👎 | Gitar

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sonarqube-next

Copy link
Copy Markdown

@pierre-loup-tristant-sonarsource pierre-loup-tristant-sonarsource merged commit 5f06049 into master Jul 10, 2026
15 checks passed
@pierre-loup-tristant-sonarsource pierre-loup-tristant-sonarsource deleted the plt/sonarjava-6528 branch July 10, 2026 07:39
@gitar-bot

gitar-bot Bot commented Jul 10, 2026

Copy link
Copy Markdown
Code Review ✅ Approved 1 resolved / 1 findings

Integrates SecretClassifier into security rules S2068, S6418, and S6437 to improve credential filtering, while resolving typos in test-fixture comments. No issues found.

✅ 1 resolved
Quality: Typos in new test-fixture comments

📄 java-checks-test-sources/default/src/main/java/checks/HardCodedPasswordCheckCustom.java:20 📄 java-checks-test-sources/default/src/main/java/checks/HardCodedPasswordCheckCustom.java:28 📄 java-checks-test-sources/default/src/main/java/checks/HardCodedPasswordCheckSample.java:226 📄 java-checks-test-sources/aws/src/main/java/checks/security/HardCodedCredentialsShouldNotBeUsedCheckSample.java:146
A few of the newly added/modified explanatory comments contain typos:

  • HardCodedPasswordCheckCustom.java:20 and :28 both read // Compliant, , short value filter with a doubled comma.
  • HardCodedPasswordCheckSample.java:226 uses a triple-slash /// instead of // (myA.setProperty("password", "xxxxx"); /// Compliant, short value filter).

These are harmless to the check semantics (comments only) but worth cleaning up for consistency with the surrounding fixtures. Fix by removing the extra comma and the extra slash respectively.

Options

Auto-apply is off → Gitar will not commit updates to this branch.
Display: compact → Showing less information.

Comment with these commands to change the behavior for this request:

Auto-apply Compact
gitar auto-apply:on         
gitar display:verbose         

Was this helpful? React with 👍 / 👎 | Gitar

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants