False Positive fro typescript:S4790

SonarCloud reports a false positive security hotspot for the rule typescript:S4790, even though safe SHA-256 has algorithm is clearly used here.

type GenHash = (str: string) => PromiseLike<ArrayBuffer>;
const genHash: GenHash = (str) => {
    const encoder = new TextEncoder();
    const data = encoder.encode(str);
    return window.crypto.subtle.digest('SHA-256', data); // reported line

Hello @dulehero,

Thank you for your message, and welcome to SonarSource community.

The false-positive you are mentioning used to be a true-positive. However, the specification of the rule happened to change in the meantime; using SHA-256 should no longer be reported as sensitive as you rightfully pointed out.

We already have a ticket to fix this inconsistency but haven’t had the opportunity to address it yet. It remains in our pipe and we will tackle this false-positive as soon as possible.


1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.