SonarCloud reports a false positive security hotspot for the rule typescript:S4790, even though safe SHA-256 has algorithm is clearly used here.
type GenHash = (str: string) => PromiseLike<ArrayBuffer>;
const genHash: GenHash = (str) => {
const encoder = new TextEncoder();
const data = encoder.encode(str);
return window.crypto.subtle.digest('SHA-256', data); // reported line
};
Hello @dulehero,
Thank you for your message, and welcome to SonarSource community.
The false-positive you are mentioning used to be a true-positive. However, the specification of the rule happened to change in the meantime; using SHA-256 should no longer be reported as sensitive as you rightfully pointed out.
We already have a ticket to fix this inconsistency but haven’t had the opportunity to address it yet. It remains in our pipe and we will tackle this false-positive as soon as possible.
Regards,
Yassin
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.