Need help for Weak Cryptography alert in SonarQube for SHA256

Kaisha_kumar · January 27, 2021, 1:15pm

Must-share information (formatted with Markdown):

which versions are you using- 8.6

We have analyze our project in SonarQube. After analysis, sonarqube is flagging for medium hotspot alert for new HMACSHA256(secret)). Not sure why we are getting alert for this.

            var secret = Encoding.UTF8.GetBytes(fmsSecret);
            using (var hasher = new HMACSHA256(secret))

As per recommendation, SHA256 are safer alternative. Not sure why this is being highlighted and how to fix it.

Regards,
Ashutosh

eric.therond · January 28, 2021, 8:26am

Hello @Kaisha_kumar

thank you for your report

You are right, the rule should not raise when using HMACSHA256, it has been fixed recently (see this ticket) and it will be available in the next version of SonarQube

Eric

Kaisha_kumar · January 28, 2021, 8:28am

Hi Eric,

Thanks for the update. Will wait for the next release to get the fix for this rule.

Regards,
Ashutosh

system · February 4, 2021, 8:28am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Weak Cryptography alert in SonarQube for SHA256 SonarQube Server / Community Build javascript , security-hotspot	2	1595	October 26, 2021
Odd Security hotspot for python - Weak Cryptography SonarQube Cloud python , security-hotspot , sonarqube-cloud	3	852	December 15, 2020
Why SonarQube doesn't spot some obvious vulnerabilities SonarQube Server / Community Build	3	422	October 13, 2022
Issue with Cryptographic hash algorithms SonarQube Server / Community Build typescript , sonarqube , scanner	3	2166	March 31, 2022
Sonarqube scanned a wrong security hotspots SonarQube Server / Community Build javascript , sonarqube	1	1771	November 1, 2021

Need help for Weak Cryptography alert in SonarQube for SHA256

Related topics