S4432 does not trigger (AES encryption algorithm should be used with secured mode=

sonarqube
csharp

(Ludovic Flender) #1

SonarC# Analyzer v7.5.0.6605 & v7.8.0.7320

Rule does not trigger with provided example:
AesManaged aes = new AesManaged
{
KeySize = 128,
BlockSize = 128,
Mode = CipherMode.OFB, // Noncompliant
Padding = PaddingMode.PKCS7
};

Rule does not trigger either with CipherModes described in the issue: CBC, ECB
Actually I cannot trigger the rule at all


(Amaury Levé) #2

Hi @Shay,

I have tried a simple console application with the following code:

using System;
using System.Security.Cryptography;

namespace ConsoleApp2
{
    class Program
    {
        static void Main(string[] args)
        {
            AesManaged aes = new AesManaged
            {
                KeySize = 128,

                BlockSize = 128,
                Mode = CipherMode.OFB, // Noncompliant
                Padding = PaddingMode.PKCS7
            };            
        }
    }
}

and I have been successful in having the issue raised.

Could you ensure the rule is correctly active in the quality profile bound to your project? Can you see the warning in the msbuild logs? You can also check that in the .sonarqube/conf the ruleset does contain the rule with the severity warning.

Cheers,
Amaury