Password found in configuration false positive

[mnriem]

When a substitution variable is used to pass in a password it still flags the issue even though there is no hardcoded password.

[showpune]

I have some concerns about the requirement: 1) For now we just check the password keywords in yaml/properties files as it is not a good practice to define the password in a yaml/properties in source code, even with variable. Normally the yaml/properties file is dispatched in different way like config server/Service config, not with the source code, it is worth to report. Or can we have a customer sample? 2) Now if you upload source code with password key words in yaml/properties files, even with variable, we will get alert from github, so it is worth to be reported 3) Technically hard to implemented a variable is a real password or not

[mnriem]

As part of a Spring Boot application, it is common to see variable substitution. The rule now triggers regardless of whether or not it has a ${ } in a property that mentions the word password. The regular expression matching the content should exclude a 'password' with '${ }' anywhere in the content. Or at least flag it as informational instead of a mandatory.

[mnriem]

@karianna @showpune Should this be closed out?

[karianna]

It doesn't seem resolved to me so I think we keep it open for now.

[mnriem]

It was labeled as won't fix?

[karianna]

I'll check with the team here. The new Kantra based version may have some options around this.

[brunoborges]

@showpune can your team help with experimenting more advanced regular expressions to ignore common scenarios such as ${envvar} ?