Need help for Weak Cryptography alert in SonarQube for SHA256

Must-share information (formatted with Markdown):

  • which versions are you using- 8.6

We have analyze our project in SonarQube. After analysis, sonarqube is flagging for medium hotspot alert for new HMACSHA256(secret)). Not sure why we are getting alert for this.

            var secret = Encoding.UTF8.GetBytes(fmsSecret);
            using (var hasher = new HMACSHA256(secret)) 

As per recommendation, SHA256 are safer alternative. Not sure why this is being highlighted and how to fix it.


1 Like

Hello @Kaisha_kumar

thank you for your report

You are right, the rule should not raise when using HMACSHA256, it has been fixed recently (see this ticket) and it will be available in the next version of SonarQube


1 Like

Hi Eric,

Thanks for the update. Will wait for the next release to get the fix for this rule.


This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.