False positive for plaintext-storage rule

[jlamasrios]

We're getting warnings for some fields named 'something'CredentialsId. For instance, check https://github.com/jenkinsci/genexus-plugin/security/code-scanning/28 which reports about

private String kbDbCredentialsId

(on GeneXusServerStep class)

I can see PlaintextPasswordStorage.ql reports any field that include "credential" in its name, unless the name is exactly credentialsId.

This kbDbCredentialsId is actually analogous to the credentialsId case it intends to except. It just happen to use a different name due to the need to differentiate this Id from another one (there's another credentialsId field on the same class).

We may of course simply dismiss this alert but may be it makes sense to change the rule making it check for names that include (or end with) "credentialsId" (also ignoring case)?

[daniel-beck]

@jlamasrios Thanks for your report! I tried to exclude somePrefixCredentialsId fields from the check before, but unfortunately it didn't work. That's why it's currently as limited.

I'll try to revisit this. In the mean time, please just mark it as false positive.