Skip to content

SONARJAVA-6528 S2068, S6418, and S6437: Make use of common secret exclusion filter#5745

Open
pierre-loup-tristant-sonarsource wants to merge 1 commit into
masterfrom
plt/sonarjava-6528
Open

SONARJAVA-6528 S2068, S6418, and S6437: Make use of common secret exclusion filter#5745
pierre-loup-tristant-sonarsource wants to merge 1 commit into
masterfrom
plt/sonarjava-6528

Conversation

@pierre-loup-tristant-sonarsource

Copy link
Copy Markdown
Contributor

Part of SONARJAVA-6528

@hashicorp-vault-sonar-prod

hashicorp-vault-sonar-prod Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

SONARJAVA-6528

String variable6 = "login=a&bazooka=xxx"; // Compliant, short value filter
String variable6_2 = "login=a&bazooka=xvxf6_gaa"; // Noncompliant

String variableNameWithBazookaInIt = "xxx"; // Compliant, , short value filter

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Quality: Typos in new test-fixture comments

A few of the newly added/modified explanatory comments contain typos:

  • HardCodedPasswordCheckCustom.java:20 and :28 both read // Compliant, , short value filter with a doubled comma.
  • HardCodedPasswordCheckSample.java:226 uses a triple-slash /// instead of // (myA.setProperty("password", "xxxxx"); /// Compliant, short value filter).

These are harmless to the check semantics (comments only) but worth cleaning up for consistency with the surrounding fixtures. Fix by removing the extra comma and the extra slash respectively.

Was this helpful? React with 👍 / 👎

@sonarqube-next

sonarqube-next Bot commented Jul 3, 2026

Copy link
Copy Markdown

@gitar-bot

gitar-bot Bot commented Jul 3, 2026

Copy link
Copy Markdown
CI failed: The PR causes test failures in the `java-checks-aws` module, specifically in `HardCodedCredentialsShouldNotBeUsedCheckTest`, due to a discrepancy between the expected and actual number of detected security issues.

Overview

Multiple CI jobs failed consistently during the test execution phase of the java-checks-aws module. The analysis reveals a regression in HardCodedCredentialsShouldNotBeUsedCheckTest triggered by the recent changes to secret exclusion filtering.

Failures

Test Regression in HardCodedCredentialsShouldNotBeUsedCheckTest (confidence: high)

  • Type: test
  • Affected jobs: 84801679890, 84811299911, 85014637765, 84801224806
  • Related to change: yes
  • Root cause: The refactoring of secret exclusion logic led to a change in the number of issues detected by HardCodedCredentialsShouldNotBeUsedCheck. The test expects 47 issues but now reports 55, indicating that the new logic is either more sensitive than expected or correctly identifying previously missed violations.
  • Suggested fix: Review the 8 additional issues identified by the check in HardCodedCredentialsShouldNotBeUsedCheckSample.java. If these are correct findings under the new logic, update the test expectations (issue markers) in the sample file to match the new count.

Summary

  • Change-related failures: 1 (Test regression in java-checks-aws following secret filter refactor).
  • Infrastructure/flaky failures: 0
  • Recommended action: The developer should examine the surefire-reports for java-checks-aws, verify if the 8 additional issues are intended behavior, and update the test case expectations accordingly.
Code Review 👍 Approved with suggestions 0 resolved / 1 findings

Refactors S2068, S6418, and S6437 to utilize the common secret exclusion filter. Address minor typos identified in the new test-fixture comments to finalize the implementation.

💡 Quality: Typos in new test-fixture comments

📄 java-checks-test-sources/default/src/main/java/checks/HardCodedPasswordCheckCustom.java:20 📄 java-checks-test-sources/default/src/main/java/checks/HardCodedPasswordCheckCustom.java:28 📄 java-checks-test-sources/default/src/main/java/checks/HardCodedPasswordCheckSample.java:226 📄 java-checks-test-sources/aws/src/main/java/checks/security/HardCodedCredentialsShouldNotBeUsedCheckSample.java:146

A few of the newly added/modified explanatory comments contain typos:

  • HardCodedPasswordCheckCustom.java:20 and :28 both read // Compliant, , short value filter with a doubled comma.
  • HardCodedPasswordCheckSample.java:226 uses a triple-slash /// instead of // (myA.setProperty("password", "xxxxx"); /// Compliant, short value filter).

These are harmless to the check semantics (comments only) but worth cleaning up for consistency with the surrounding fixtures. Fix by removing the extra comma and the extra slash respectively.

🤖 Prompt for agents
Code Review: Refactors S2068, S6418, and S6437 to utilize the common secret exclusion filter. Address minor typos identified in the new test-fixture comments to finalize the implementation.

1. 💡 Quality: Typos in new test-fixture comments
   Files: java-checks-test-sources/default/src/main/java/checks/HardCodedPasswordCheckCustom.java:20, java-checks-test-sources/default/src/main/java/checks/HardCodedPasswordCheckCustom.java:28, java-checks-test-sources/default/src/main/java/checks/HardCodedPasswordCheckSample.java:226, java-checks-test-sources/aws/src/main/java/checks/security/HardCodedCredentialsShouldNotBeUsedCheckSample.java:146

   A few of the newly added/modified explanatory comments contain typos:
   - `HardCodedPasswordCheckCustom.java:20` and `:28` both read `// Compliant, , short value filter` with a doubled comma.
   - `HardCodedPasswordCheckSample.java:226` uses a triple-slash `///` instead of `//` (`myA.setProperty("password", "xxxxx"); /// Compliant, short value filter`).
   
   These are harmless to the check semantics (comments only) but worth cleaning up for consistency with the surrounding fixtures. Fix by removing the extra comma and the extra slash respectively.

Tip

Comment Gitar fix CI or enable auto-apply: gitar auto-apply:on

Options

Auto-apply is off → Gitar will not commit updates to this branch.
Display: compact → Showing less information.

Comment with these commands to change the behavior for this request:

Auto-apply Compact
gitar auto-apply:on         
gitar display:verbose         

Was this helpful? React with 👍 / 👎 | Gitar

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant