Skip to content

C#: Fix CWE tag for cs/insufficient-key-size #6635

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 7, 2021
Merged

C#: Fix CWE tag for cs/insufficient-key-size #6635

merged 1 commit into from
Sep 7, 2021

Conversation

RasmusWL
Copy link
Member

@RasmusWL RasmusWL commented Sep 7, 2021

Since this targets

CWE-326 Inadequate Encryption Strength

The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
- https://cwe.mitre.org/data/definitions/326.html

and not

CWE-327: Use of a Broken or Risky Cryptographic Algorithm

The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information.
- https://cwe.mitre.org/data/definitions/327.html

This matches what we do for similar query in Python: https://github.com/github/codeql/blob/main/python/ql/src/Security/CWE-326/WeakCryptoKey.ql

@RasmusWL
C#: Fix CWE tag for cs/insufficient-key-size
8f52089 
Since this targets

CWE-326 Inadequate Encryption Strength

> The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
> \- https://cwe.mitre.org/data/definitions/326.html

and not

CWE-327: Use of a Broken or Risky Cryptographic Algorithm

> The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information.
> \- https://cwe.mitre.org/data/definitions/327.html

This matches what we do for similar query in Python: https://github.com/github/codeql/blob/main/python/ql/src/Security/CWE-326/WeakCryptoKey.ql
@RasmusWL RasmusWL requested a review from a team as a code owner September 7, 2021 10:59
@github-actions github-actions bot added the C# label Sep 7, 2021
@RasmusWL
Copy link
Member Author

RasmusWL commented Sep 7, 2021

I don't think this requires a change-note, but let me know if you would like one 😊

@RasmusWL RasmusWL added the no-change-note-required This PR does not need a change note label Sep 7, 2021
hvitved
hvitved approved these changes Sep 7, 2021
View reviewed changes
Copy link
Contributor

@hvitved hvitved left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Rasmus!

@RasmusWL RasmusWL merged commit 995a819 into main Sep 7, 2021
@RasmusWL RasmusWL deleted the RasmusWL/fix-csharp-cwe-tag branch September 7, 2021 13:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hvitved hvitved hvitved approved these changes

Assignees
No one assigned
Labels
C# no-change-note-required This PR does not need a change note
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@RasmusWL @hvitved