SONARXML-264 Fix FN on S2068 in web.config of .NET Web Applications

sonar-xml-plugin/src/main/java/org/sonar/plugins/xml/checks/security/HardcodedCredentialsCheck.java

@@ -47,6 +47,9 @@ public class HardcodedCredentialsCheck extends SimpleXPathBasedCheck {
   private static final XPathExpression WEB_CONFIG_CREDENTIALS_PATH = XPathBuilder
     .forExpression("/configuration/system.web/authentication[@mode=\"Forms\"]/forms/credentials[@passwordFormat=\"Clear\"]/user/@password[string-length(.) > 0]").build();
 
+  private static final XPathExpression WEB_CONFIG_APP_SETTINGS_ADD_PATH =
+    XPathBuilder.forExpression("//appSettings/add").build();
+
   private static final Pattern VALID_CREDENTIAL_VALUES = Pattern.compile("[\\{$#]\\{");
   private static final Pattern VALID_WEB_CONFIG_CREDENTIAL_VALUES = Pattern.compile("^__.*__$");
 
@@ -80,6 +83,9 @@ public void scanFile(XmlFile file) {
       evaluateAsList(WEB_CONFIG_CREDENTIALS_PATH, file.getDocument()).stream()
         .filter(passwordAttrNode -> !isValidWebConfigCredential(passwordAttrNode.getNodeValue()))
         .forEach(this::reportIssue);
+      evaluateAsList(WEB_CONFIG_APP_SETTINGS_ADD_PATH, file.getDocument()).stream()
+        .filter(HardcodedCredentialsCheck::isAddWithPassword)
+        .forEach(this::reportIssue);
     } else {
       checkElements(file.getDocument());
       checkSpecialCases(file);
@@ -152,6 +158,16 @@ private static boolean isValidWebConfigCredential(String candidate) {
     return isValidCredential(candidate) || VALID_WEB_CONFIG_CREDENTIAL_VALUES.matcher(candidate).matches();
   }
 
+  /** Detects nodes with key="password" and "value" attributes. */
+  private static boolean isAddWithPassword(Node node) {
+    NamedNodeMap attributes = node.getAttributes();
+    Optional<String> keyValueLowerCase =
+      Optional.ofNullable(attributes.getNamedItem("key"))
+          .map(Node::getNodeValue)
+          .map(String::toLowerCase);
+    return keyValueLowerCase.equals(Optional.of("password")) && attributes.getNamedItem("value") != null;
+  }
+
   private void checkSpecialCases(XmlFile file) {
     specialCases.forEach(specialCase -> specialCase.accept(file));
   }

sonar-xml-plugin/src/test/java/org/sonar/plugins/xml/checks/security/HardcodedCredentialsCheckTest.java

@@ -75,4 +75,9 @@ void web_application() {
     SonarXmlCheckVerifier.verifyIssues(Paths.get("web-application", "web.config").toString(), CHECK);
     SonarXmlCheckVerifier.verifyIssues(Paths.get("web-application", "Machine.config").toString(), CHECK);
   }
+
+  @Test
+  void web_application_app_settings() {
+    SonarXmlCheckVerifier.verifyIssues(Paths.get("app-settings", "web.config").toString(), CHECK);
+  }
 }

sonar-xml-plugin/src/test/resources/checks/HardcodedCredentialsCheck/app-settings/web.config

@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="utf-8"?>
+<configuration>
+    <location>
+        <system.webServer>
+            <aspNetCore processPath="dotnet" arguments=".\Hidden.dll" stdoutLogEnabled="false" stdoutLogFile="\\?\%home%\LogFiles\stdout" hostingModel="inprocess" />
+        </system.webServer>
+    </location>
+    <appSettings>
+        <add key="Password" value="thisisbad" /> <!-- Noncompliant -->
+        <add key="color" value="blue" />
+        <add key="password" value="thisisbadtoo" /> <!-- Noncompliant -->
+        <add key="password" />
+        <add something="else" />
+    </appSettings>
+</configuration>