SonarSource · dorian-burihabwa-sonarsource · Sep 17, 2024
diff --git a/...-common/src/main/java/org/sonar/java/checks/helpers/HardcodedStringExpressionChecker.java b/...-common/src/main/java/org/sonar/java/checks/helpers/HardcodedStringExpressionChecker.java
@@ -27,6 +27,7 @@
 import org.sonar.plugins.java.api.JavaFileScannerContext;
 import org.sonar.plugins.java.api.semantic.MethodMatchers;
 import org.sonar.plugins.java.api.semantic.Symbol;
+import org.sonar.plugins.java.api.tree.ArrayAccessExpressionTree;
 import org.sonar.plugins.java.api.tree.BinaryExpressionTree;
 import org.sonar.plugins.java.api.tree.ConditionalExpressionTree;
 import org.sonar.plugins.java.api.tree.ExpressionTree;
@@ -108,6 +109,12 @@ public static boolean isExpressionDerivedFromPlainText(ExpressionTree expression
     Set<Symbol> visited) {
     ExpressionTree arg = ExpressionUtils.skipParentheses(expression);
     switch (arg.kind()) {
+      case ARRAY_ACCESS_EXPRESSION:
+        var access = (ArrayAccessExpressionTree) arg;
+        IdentifierTree arrayIdentifier = (IdentifierTree) access.expression();
+        VariableTree variable = (VariableTree) arrayIdentifier.symbol().declaration();
+        NewArrayTree initializer = (NewArrayTree) variable.initializer();
+        return isDerivedFromPlainText(initializer, secondaryLocations, visited);
       case IDENTIFIER:
         IdentifierTree identifier = (IdentifierTree) arg;
         return isDerivedFromPlainText(identifier, secondaryLocations, visited);

diff --git a/...ces/aws/src/main/java/checks/security/HardCodedCredentialsShouldNotBeUsedCheckSample.java b/...ces/aws/src/main/java/checks/security/HardCodedCredentialsShouldNotBeUsedCheckSample.java
@@ -40,6 +40,15 @@ public class HardCodedCredentialsShouldNotBeUsedCheckSample {
   private static char[] secretCharArrayField = new char[]{0xC, 0xA, 0xF, 0xE};
   private static CharSequence secretCharSequenceField = "Hello, World!".subSequence(0, 12);
 
+  public static final String[] SECRETS = {"secret_key"};
+  public static final String JWT_SECRET = SECRETS[0];
+
+  public String getSecretToken() {
+    return Jwts.builder()
+      .signWith(SignatureAlgorithm.HS256, JWT_SECRET)
+      .compact();
+  }
+
   public static void nonCompliant(byte[] message, boolean condition, Charset encoding, SignatureAlgorithm paremSignatureAlgorithm) throws ServletException, KeyStoreException, UnrecoverableKeyException, NoSuchAlgorithmException, UnsupportedEncodingException, jakarta.servlet.ServletException {
     // byte array based
     SHA256.getHMAC(FINAL_SECRET_BYTE_ARRAY, message); // Noncompliant {{Revoke and change this password, as it is compromised.}}