-
Notifications
You must be signed in to change notification settings - Fork 223
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create rule S5344: Passwords should not be stored in plain-text or with a fast hashing algorithm (Part 2) #9287
Create rule S5344: Passwords should not be stored in plain-text or with a fast hashing algorithm (Part 2) #9287
Conversation
analyzers/src/SonarAnalyzer.CSharp/Rules/PasswordsShouldBeStoredCorrectly.cs
Show resolved
Hide resolved
analyzers/tests/SonarAnalyzer.TestFramework/MetadataReferences/NuGetMetadataReference.cs
Show resolved
Hide resolved
d10a789
to
834a046
Compare
@costin-zaharia-sonarsource all of the code smells are magic numbers.
Let me know if you agree and I will take care of them. |
4e8d69a
to
ccd5c9a
Compare
834a046
to
f3570ab
Compare
analyzers/its/expected/ManuallyAddedNoncompliantIssues.CS/S5344-NetFramework48.json
Outdated
Show resolved
Hide resolved
f3570ab
to
7ce44f7
Compare
analyzers/src/SonarAnalyzer.CSharp/Rules/PasswordsShouldBeStoredCorrectly.cs
Show resolved
Hide resolved
analyzers/src/SonarAnalyzer.CSharp/Rules/PasswordsShouldBeStoredCorrectly.cs
Show resolved
Hide resolved
analyzers/src/SonarAnalyzer.CSharp/Rules/PasswordsShouldBeStoredCorrectly.cs
Show resolved
Hide resolved
analyzers/src/SonarAnalyzer.CSharp/Rules/PasswordsShouldBeStoredCorrectly.cs
Show resolved
Hide resolved
analyzers/src/SonarAnalyzer.CSharp/Rules/PasswordsShouldBeStoredCorrectly.cs
Show resolved
Hide resolved
analyzers/tests/SonarAnalyzer.Test/Rules/PasswordsShouldBeStoredCorrectlyTest.cs
Show resolved
Hide resolved
analyzers/tests/SonarAnalyzer.Test/Rules/PasswordsShouldBeStoredCorrectlyTest.cs
Show resolved
Hide resolved
@costin-zaharia-sonarsource Second commit is review from previous PR. |
x.IterationCount = 1; // Noncompliant {{Use at least 100,000 iterations here.}} | ||
// ^^^^^^^^^^^^^^^^ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think a compliant example is missing with setting the IterationCount
property to a safe value.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! 🎉
Please see that there a few minor comments to handle before merging.
Quality Gate passed for 'Sonar .NET Java Plugin'Issues Measures |
Quality Gate passed for 'SonarAnalyzer for .NET'Issues Measures |
Part of #8998
Whatever is checked, is implemented in this PR:
PasswordHasherOptions
.IterationCount < 100K (Core)PasswordHasherOptions
.CompatibilityMode == IdentityV2 (Core)KeyDerivation
.Pbkdf2.iterationCount < 100K (Core)Rfc2898DeriveBytes.
Pbkdf2.iterations < 100K (Core)PasswordHasher
instantiated (FRM)Rfc2898DeriveBytes
.iterations < 100K (cross-platform)Rfc2898DeriveBytes
.hashAlgorithm does not exist (cross-platform)OpenBsdCrypt
/BCrypt
).Generate.cost < 12 (BouncyCastle)PbeParametersGenerator
.Init.iterationCount < 100K (BouncyCastle)SCrypt
.Generate N < 2^12, r < 8, or dklen < 32 (BouncyCastle)