rspec/rules/S2068/comments-and-links.adoc

=== on 25 Nov 2014, 20:38:42 Freddy Mallet wrote:
\[~ann.campbell.2] and [~nicolas.peru], for a first implementation, I would do the following things :

* Search for all literals containing "password=xxxx"
* Search for all local variable whose names contains 'password' and which are initialized with a hardcoded literal. 

=== on 15 Dec 2014, 10:14:47 Freddy Mallet wrote:
I've removed the tag "owasp-top10", as this vulnerability is no more part of OWASP Top 10 2013 in MITRE CWE referential

=== on 2 Feb 2015, 20:11:55 Sébastien Gioria wrote:
It's part of OWASP Top10 2013 A2 

=== on 3 Feb 2015, 19:50:13 Ann Campbell wrote:
Thanks [~sebastien.gioria]

=== on 18 May 2017, 15:06:06 Ann Campbell wrote:
In addition to "password", "passwd", &etc. implementations of this rule should also look for translations (list compiled with the help of Google Translate):


achinsinsi, adgangskode, codice, contrasena, contrasenya, contrasinal, cynfrinair, facal-faire, facalfaire, fjaleklaim, focalfaire, geslo, haslo, heslo, iphasiwedi, jelszo, kalmarsirri, katalaluan, katasandi, kennwort, kode, kupuhipa, loluszais, losen, losenord, lozinka, lykilorth, mathkau, modpas, motdepasse, olelohuna, oroigbaniwole, parol, parola, parole, parool, pasahitza, pasiwedhi, passe, passord, passwort, passwuert, paswoodu, phasewete, salasana, sandi, senha, sifre, sifreya, slaptazois, tenimiafina, upufaalilolilo, wachtwoord, wachtwurd, wagwoord

=== on 2 Mar 2018, 10:09:05 Tibor Blenessy wrote:
For posterity,  list of translated words was removed and replaced by customizable parameter, because this was raising too many false postives. See https://groups.google.com/a/sonarsource.com/forum/?utm_medium=email&utm_source=footer#!msg/dogfood-rules/QFT49lKYYGM/Q5ebuctTAgAJ[dogfood]  and other discussions.

=== on 3 May 2018, 18:21:25 Tibor Blenessy wrote:
\[~freddy.mallet] why do you think that semantic analysis is required? Current implementations (at least in SonarJava, SonarTS, SonarGo) rely only on AST, checking literal value or identifier name.

=== on 16 May 2018, 12:15:16 Freddy Mallet wrote:
You're right [~tibor.blenessy] according to the current functional scope of this rule. I've updated the 'Analysis Level' field. Thanks

=== on 29 Oct 2019, 19:55:00 Ann Campbell wrote:
\[~tolun.ardahanli] the https://docs.sonarqube.org/latest/extend/adding-coding-rules/#header-4[rule writing guide] says titles should be plural when possible. (Call me if you want the English language reasons.)  If there's a reason to make this one singular, then it now needs an article. 

=== on 30 Oct 2019, 14:56:47 Tolun Ardahanli wrote:
\[~ann.campbell.2] Thank you for your sharing and suggestion. I updated.

=== on 3 Mar 2020, 11:04:08 Pavel Mikula wrote:
Hi [~pierre-loup.tristant], 


Have you considered usage of term URI instead of URL? URI seems more generic to me and RFC 3986 defines URI and userInfo part of it. So I think URI should be prefered here.

=== on 3 Mar 2020, 15:14:17 Pierre-Loup Tristant wrote:
\[~pavel.mikula] I agree with you it should be URI instead or URL. You can go for "Review this hard-coded URI, which may contain a credential." as the new issue message.