Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
AvoidUsingPlainTextForPassword docs do not cover all checked parameter names
See original GitHub issueI have a script parameter that holds a path to the encrypted credential file named $CredentialFile for which I get the warning:
Parameter ‘$CredentialFile’ should use SecureString, otherwise this will expose sensitive information. See ConvertTo-SecureString for more information.
There is no reason for me use SecureString here and I cannot think of a better alternative to the parameter name, so it would be nice to suppress this message for this particular instance, but not to the whole file or project. Besides, the documentation for PSAvoidUsingPlainTextForPassword needs to include Credential and whatever other strings it gets triggered of, since it only mentions one word: Password.
Issue Analytics
- State:
- Created 3 years ago
- Comments:5 (3 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Addressing your title, see https://github.com/PowerShell/PSScriptAnalyzer#suppressing-rules.
Agreed.
It seems the list of terms is:
https://github.com/PowerShell/PSScriptAnalyzer/blob/c78f5a60c1f49a5e767286ff6323a2ec0788991a/Rules/AvoidUsingPlainTextForPassword.cs#L34
And those terms only need to appear within the parameter/variable name to trigger the rule:
https://github.com/PowerShell/PSScriptAnalyzer/blob/c78f5a60c1f49a5e767286ff6323a2ec0788991a/Rules/AvoidUsingPlainTextForPassword.cs#L45
We would welcome your PR to update the docs here
Not yet; we would welcome your contribution.
Ultimately this is a very heuristic rule and the idea is we can infer what should be a secure string based on the name of parameters. But most users seem to appreciate that. I think a regex is probably the way to go. Something like: