chilakala
October 25, 2021, 8:08am
1
Template for a good bug report, formatted with Markdown :
versions used : SonarQube Community Edition Version 8.9.1 (build 44547)
error observed : We have analyzed our JS code in SonarQube. After analysis, sonarqube is flagging for medium hotspot alert for new SHA256(secret)). Not sure why we are getting alert for this.
export const cryptography = { hash: (text: string) => { const hash = createHash('sha256'); hash.update(text); return hash.digest('hex'); },
potential workaround
opened 01:18PM - 20 May 20 UTC
closed 04:59PM - 14 Jan 21 UTC
Type: Improvement
Area: VB.NET
Area: C#
Area: Security
For hashing algorithms, several rules exist, in particular these two:
- A secur… ity-hotspot: https://jira.sonarsource.com/browse/RSPEC-4790
- That supersedes this vulnerability: https://jira.sonarsource.com/browse/RSPEC-2070
It's not possible to maintain two rules on exactly the same subject, for us and the end users, so:
- S2070 will be deprecated
- the content/implementation of S2070 is more relevant than S4790 because S4790 raises everywhere a hash function is used (even when secure hash function, like SHA-256 is used) and S2070 raises only when a weak hash function is used (like MD5)
- so the content/implementation of S2070 should "be moved" to S4790 (the key of the rule should be updated in Sonar-dotnet), because the type of issue (hotspot) is more relevant
chilakala
October 25, 2021, 9:59am
2
@eric.therond I did see another post you have replied earlier. Could you please help.
Must-share information (formatted with Markdown ):
which versions are you using- 8.6
We have analyze our project in SonarQube. After analysis, sonarqube is flagging for medium hotspot alert for new HMACSHA256(secret)). Not sure why we are getting alert for this.
var secret = Encoding.UTF8.GetBytes(fmsSecret);
using (var hasher = new HMACSHA256(secret))
As per recommendation, SHA256 are safer alternative. Not sure why this is being highlighted and how to fix it.
Reg…
ganncamp
October 26, 2021, 4:04pm
3
Hi,
Welcome to the community!
Please don’t invoke (@) people who aren’t already involved in your thread.
Regarding your question:
Did you read the accompanying documentation in the interface?