The C# and VB.NET analyzers detect cryptography-related security issues

Hello .NET developers,

After C, C++, JavaScript, TypeScript and Java, the C# and VB.NET analyzers were upgraded to be able to detect cryptography-related security issues.

You are no longer alone to implement code dealing with cryptography APIs and I hope you will feel more confident to jump into this complex area thanks to these 5 rules:

  • S3329: Cipher Block Chaining IV’s should be random and unique (Critical)
  • S2257: Using non-standard cryptographic algorithms is security-sensitive (Critical)
  • S2053: Hashes should include an unpredictable salt (Critical)
  • S5332: Using clear-text protocols is security-sensitive (Critical)
  • S4423: Weak SSL and TLS protocols should not be used (Major)

As usual a couple of fixes were also provided, more details are available in the Release Notes.

These changes are available now on SonarCloud , and will be included in SonarQube 8.7.