JS: Remove some FPs from the hardcoded-credentials query #16417
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #16360 and #16359.
Replaces #16244
I looked at what credentials-kinds we have, and I found the below (list is possibly non-exhaustive):
I changed the last two to just
user name
andpassword
.We already filtered away keys that look like dummy passwords for
password
,credentials
, andtoken
, and it seemed reasonable to just addkey
to that list.I also added a note in the QHelp with two sample passwords that we recognize as dummy-passwords.
Evaluations (nightly, default) look reasonable.
It removes keys that are obviously not meant to be actual secrets or the values are used for tests.
And performance is unaffected.