Environment (please complete the following information):
- Version: 5.1.0
- Branch: SecurityCodeScan 2019
- Microsoft Visual Studio Enterprise 2019 Preview Version 16.10.0 Preview 1.0
- OS: Windows
Describe the bug
I am receiving a false positive SCS0015: Hardcoded value in 'byte[] SymmetricAlgorithm.Key'.
Repro
using (Aes aes = Aes.Create())
{
byte[] key = _ecdh.DeriveKeyFromHash(publicKey, hashAlgorithm, encryptedData.Nonce, fixedInfo);
try
{
aes.IV = encryptedData.IV;
aes.Key = key; // SCS0015: Hardcoded value in byte[] SymmetricAlgorithm.Key
...
Where:
_ecdh is an instance of ECDiffieHellman
publicKey is an ECDiffieHellmanPublicKey instance
hashAlgorithm is HashAlgorithmName.SHA256
encryptedData.Nonce is a byte[] property on a DTO class
encryptedData.IV is a byte[] property on a DTO class
fixedInfo is a byte[]? parameter to the decrypt method
I've tried recreating this in a standalone project but cannot get SCS0015 to fire on that line, so I'm not quite sure which of the arguments to DeriveKeyFromHash is causing it to fail yet.
Environment (please complete the following information):
Describe the bug
I am receiving a false positive SCS0015: Hardcoded value in 'byte[] SymmetricAlgorithm.Key'.
Repro
Where:
_ecdhis an instance of ECDiffieHellmanpublicKeyis anECDiffieHellmanPublicKeyinstancehashAlgorithmisHashAlgorithmName.SHA256encryptedData.Nonceis abyte[]property on a DTO classencryptedData.IVis abyte[]property on a DTO classfixedInfois abyte[]?parameter to the decrypt methodI've tried recreating this in a standalone project but cannot get SCS0015 to fire on that line, so I'm not quite sure which of the arguments to
DeriveKeyFromHashis causing it to fail yet.