MD5 usage not flagged as vulnerability, why?

Hi there,

I’ve created a little snippet that uses the MD5CryptoServiceProvider which I would expect to be flagged as a vulnerability. It’s not however. Could anyone please explain why?



Hi @staal-it,

Thanks for posting your question here. It will be easier to answer than on twitter.

I see that you enabled the corresponding rule in your quality profile and that you have issues raised on for new MD5CryptoServiceProvider() the master branch. Thus issues should also be raised on Pull Requests.

Was your pull request analyzed after the modification to the Quality Profile, i.e. after January 15, 2019, and was your project already using this quality profile at that time?

If you try to push again on this pull request, is the issue still missing?

Hi @Nicolas_Harraudeau,

I think the pull-request was created after I made the modification to the Quality Profile but I’m not completely sure. I did create a new pull-request and it worked perfectly this time!

Thanks for your help!