False-Negative for same code in other project

Karthick_Chandran · September 22, 2020, 11:45pm

versions : SonarCloud paid
error observed : False-Negative for vulnerability

cryptoServiceProvider = new TripleDESCryptoServiceProvider();

The above line was flagged as

Use a strong cipher algorithm , csharpsquid:S5547 : Cipher algorithms should be robust

the same line was in another nuget class library, (in constructor) in but was not picked by SonarCloud

public SymmetricCryptoService(): base()
{
SymmetricAlgorithm = new TripleDESCryptoServiceProvider();
}

Hendrik_Buchwald · September 23, 2020, 7:39am

Hi Karthick,

I am sorry to hear that. Could you please share more of the code that surrounds the method call as it is likely related to the context/position of the code? Thanks!

Topic		Replies	Views
False positive or false negative? I don't care which but consistency would be real nice as a minimum SonarQube Server / Community Build java , sonarqube , security	3	1229	August 31, 2020
SonarCloud is not detecting vulnerabilities of the Project Report False-positive / False-negative... dotnet , sonarqube-cloud	19	1461	January 18, 2023
The assumption about the incorrect operation of the code verification system Report False-positive / False-negative... csharp , sonarqube-cloud	17	936	June 2, 2023
Property pattern matching and null-check false-negative Report False-positive / False-negative... csharp , sonarqube	1	801	March 16, 2022
Weak Cryptography alert in SonarQube for SHA256 SonarQube Server / Community Build javascript , security-hotspot	2	1656	October 26, 2021

False-Negative for same code in other project

Related topics