search

SonarSource / sonar-dotnet

Code analyzer for C# and VB.NET projects
https://redirect.sonarsource.com/plugins/csharp.html
GNU Lesser General Public License v3.0
798 stars 229 forks source link

Improve S6781: Add an alternative message for config users #9677

Closed loris-s-sonarsource closed 1 month ago

loris-s-sonarsource commented 1 month ago

Why

This rule was implemented via https://github.com/SonarSource/sonar-dotnet/issues/8996. The current message is “JWT secret keys should not be disclosed.". When users hardcode their secrets in configuration files, there are chances that these configuration files are not stored in the version control system, and we do not have the possibility to understand whether they are. This is a source of false positives and AppSec is aware of it.

Still, users could be confused by this message. The goal of this ticket is to improve the user experience by not being so adamant in the message.

How

In cases where the secret is defined in configuration files, specified in #8996 as:

  • For .NET Framework applications: as a string in the section of App.config/web.config and obtained via the ConfigurationManager.AppSettings collection.
  • For .NET Core applications: as a string in the appsettings.json file and obtained via the IConfiguration interface.

Please change the raised message to what’s specified in https://github.com/SonarSource/rspec/pull/4362/files.

loris-s-sonarsource commented 1 month ago

Closing this ticket. Wrong backlog!