chilakala
(Goutham kumar)
October 25, 2021, 8:08am
1
Template for a good bug report, formatted with Markdown :
versions used : SonarQube Community Edition Version 8.9.1 (build 44547)
error observed : We have analyzed our JS code in SonarQube. After analysis, sonarqube is flagging for medium hotspot alert for new SHA256(secret)). Not sure why we are getting alert for this.
export const cryptography = { hash: (text: string) => { const hash = createHash('sha256'); hash.update(text); return hash.digest('hex'); },
potential workaround
I see a GitHub issue present for this and its closed now
It mentions that it has been fixed in newer version of SonarQube. We are using the latest LTS 8.9.1, not sure why we are getting this flagged.
opened 01:18PM - 20 May 20 UTC
closed 04:59PM - 14 Jan 21 UTC
Type: Improvement
Area: VB.NET
Area: C#
Area: Security
For hashing algorithms, several rules exist, in particular these two:
- A secur… ity-hotspot: https://jira.sonarsource.com/browse/RSPEC-4790
- That supersedes this vulnerability: https://jira.sonarsource.com/browse/RSPEC-2070
It's not possible to maintain two rules on exactly the same subject, for us and the end users, so:
- S2070 will be deprecated
- the content/implementation of S2070 is more relevant than S4790 because S4790 raises everywhere a hash function is used (even when secure hash function, like SHA-256 is used) and S2070 raises only when a weak hash function is used (like MD5)
- so the content/implementation of S2070 should "be moved" to S4790 (the key of the rule should be updated in Sonar-dotnet), because the type of issue (hotspot) is more relevant
chilakala
(Goutham kumar)
October 25, 2021, 9:59am
2
@eric.therond I did see another post you have replied earlier. Could you please help.
Must-share information (formatted with Markdown ):
which versions are you using- 8.6
We have analyze our project in SonarQube. After analysis, sonarqube is flagging for medium hotspot alert for new HMACSHA256(secret)). Not sure why we are getting alert for this.
var secret = Encoding.UTF8.GetBytes(fmsSecret);
using (var hasher = new HMACSHA256(secret))
As per recommendation, SHA256 are safer alternative. Not sure why this is being highlighted and how to fix it.
Reg…
ganncamp
(G Ann Campbell)
October 26, 2021, 4:04pm
3
Hi,
Welcome to the community!
Please don’t invoke (@
) people who aren’t already involved in your thread.
Regarding your question:
Did you read the accompanying documentation in the interface?
Ann