Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve S2053: Support Rfc2898DeriveBytes.Pbkdf2 method #7572

Open
zsolt-kolbay-sonarsource opened this issue Jul 11, 2023 · 0 comments
Open

Improve S2053: Support Rfc2898DeriveBytes.Pbkdf2 method #7572

zsolt-kolbay-sonarsource opened this issue Jul 11, 2023 · 0 comments
Labels
Area: C# C# rules related issues. Area: CFG/SE CFG and SE related issues. Area: Security Related to Vulnerability and Security Hotspot rules Area: VB.NET VB.NET rules related issues. Type: False Negative Rule is NOT triggered when it should be.

Comments

@zsolt-kolbay-sonarsource
Copy link
Contributor

zsolt-kolbay-sonarsource commented Jul 11, 2023
edited
Loading

The current implementation of S2053 supports the following methods:

  • Rfc2898DeriveBytes constructor
  • PasswordDeriveBytes constructor

In .NET 6 the static Rfc2898DeriveBytes.Pbkdf2 method was introduced that also takes a salt value as a parameter.
Add support for validating this method call with the Roslyn implementation of S2053 (for both C# and VB.NET).
Add support for the Span<Byte> and ReadonlySpan<Byte> types.
@zsolt-kolbay-sonarsource zsolt-kolbay-sonarsource added Type: Improvement Area: CFG/SE CFG and SE related issues. Area: VB.NET VB.NET rules related issues. Area: C# C# rules related issues. Area: Security Related to Vulnerability and Security Hotspot rules Sprint: SE Short-lived* label for epic MMF-3077 *troll labels Jul 11, 2023
@Tim-Pohlmann Tim-Pohlmann added this to the 9.6 milestone Jul 11, 2023
@zsolt-kolbay-sonarsource zsolt-kolbay-sonarsource moved this from To do to In progress in Best Kanban Jul 21, 2023
Closed
@zsolt-kolbay-sonarsource zsolt-kolbay-sonarsource modified the milestones: 9.6, 9.7 Jul 25, 2023
@martin-strecker-sonarsource martin-strecker-sonarsource modified the milestones: 9.7, 9.8 Aug 4, 2023
@zsolt-kolbay-sonarsource zsolt-kolbay-sonarsource moved this from In progress to To do in Best Kanban Aug 7, 2023
@mary-georgiou-sonarsource mary-georgiou-sonarsource modified the milestones: 9.8, 9.9 Aug 18, 2023
@Tim-Pohlmann Tim-Pohlmann removed the Sprint: SE Short-lived* label for epic MMF-3077 *troll label Aug 22, 2023
@Tim-Pohlmann Tim-Pohlmann removed this from the 9.9 milestone Aug 22, 2023
@Tim-Pohlmann Tim-Pohlmann removed this from To do in Best Kanban Aug 22, 2023
@zsolt-kolbay-sonarsource zsolt-kolbay-sonarsource removed their assignment Mar 19, 2024
@pavel-mikula-sonarsource pavel-mikula-sonarsource added Type: False Negative Rule is NOT triggered when it should be. and removed Type: Improvement labels Jun 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Area: C# C# rules related issues. Area: CFG/SE CFG and SE related issues. Area: Security Related to Vulnerability and Security Hotspot rules Area: VB.NET VB.NET rules related issues. Type: False Negative Rule is NOT triggered when it should be.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Improve S2053: Handle Pbkdf2 method invocations SonarSource/sonar-dotnet
5 participants
@Tim-Pohlmann @pavel-mikula-sonarsource @mary-georgiou-sonarsource @martin-strecker-sonarsource @zsolt-kolbay-sonarsource