diff --git a/src/Microsoft.CodeAnalysis.FxCopAnalyzers/Microsoft.CodeAnalysis.FxCopAnalyzers.md b/src/Microsoft.CodeAnalysis.FxCopAnalyzers/Microsoft.CodeAnalysis.FxCopAnalyzers.md index 0b1a2c14cd..d302fca025 100644 --- a/src/Microsoft.CodeAnalysis.FxCopAnalyzers/Microsoft.CodeAnalysis.FxCopAnalyzers.md +++ b/src/Microsoft.CodeAnalysis.FxCopAnalyzers/Microsoft.CodeAnalysis.FxCopAnalyzers.md @@ -186,4 +186,5 @@ Sr. No. | Rule ID | Title | Category | Enabled | CodeFix | Description | 183 | CA5387 | Do Not Use Weak Key Derivation Function With Insufficient Iteration Count | Security | False | False | When deriving cryptographic keys from user-provided inputs such as password, use sufficient iteration count (at least 100k). | 184 | CA5388 | Ensure Sufficient Iteration Count When Using Weak Key Derivation Function | Security | False | False | When deriving cryptographic keys from user-provided inputs such as password, use sufficient iteration count (at least 100k). | 185 | CA5389 | Do Not Add Archive Item's Path To The Target File System Path | Security | True | False | When extracting files from an archive and using the archive item's path, check if the path is safe. Archive path can be relative and can lead to file system access outside of the expected file system target path, leading to malicious config changes and remote code execution via lay-and-wait technique. | -186 | CA9999 | Analyzer version mismatch | Reliability | True | False | Analyzers in this package require a certain minimum version of Microsoft.CodeAnalysis to execute correctly. Refer to https://docs.microsoft.com/visualstudio/code-quality/install-fxcop-analyzers#fxcopanalyzers-package-versions to install the correct analyzer version. | +186 | CA5390 | Do Not Hard Code Encryption Key | Security | True | False | SymmetricAlgorithm's .Key property, or a method's rgbKey parameter, should never be a hardcoded value. | +187 | CA9999 | Analyzer version mismatch | Reliability | True | False | Analyzers in this package require a certain minimum version of Microsoft.CodeAnalysis to execute correctly. Refer to https://docs.microsoft.com/visualstudio/code-quality/install-fxcop-analyzers#fxcopanalyzers-package-versions to install the correct analyzer version. | diff --git a/src/Microsoft.CodeAnalysis.FxCopAnalyzers/Microsoft.CodeAnalysis.FxCopAnalyzers.sarif b/src/Microsoft.CodeAnalysis.FxCopAnalyzers/Microsoft.CodeAnalysis.FxCopAnalyzers.sarif index c37004ffe3..9b1d21db17 100644 --- a/src/Microsoft.CodeAnalysis.FxCopAnalyzers/Microsoft.CodeAnalysis.FxCopAnalyzers.sarif +++ b/src/Microsoft.CodeAnalysis.FxCopAnalyzers/Microsoft.CodeAnalysis.FxCopAnalyzers.sarif @@ -2471,6 +2471,10 @@ "languages": [ "C#", "Visual Basic" + ], + "tags": [ + "Dataflow", + "Telemetry" ] } }, @@ -2487,6 +2491,10 @@ "languages": [ "C#", "Visual Basic" + ], + "tags": [ + "Dataflow", + "Telemetry" ] } }, @@ -2535,6 +2543,10 @@ "languages": [ "C#", "Visual Basic" + ], + "tags": [ + "Dataflow", + "Telemetry" ] } }, @@ -2551,6 +2563,10 @@ "languages": [ "C#", "Visual Basic" + ], + "tags": [ + "Dataflow", + "Telemetry" ] } }, @@ -2583,6 +2599,10 @@ "languages": [ "C#", "Visual Basic" + ], + "tags": [ + "Dataflow", + "Telemetry" ] } }, @@ -2599,6 +2619,10 @@ "languages": [ "C#", "Visual Basic" + ], + "tags": [ + "Dataflow", + "Telemetry" ] } }, @@ -2629,6 +2653,10 @@ "languages": [ "C#", "Visual Basic" + ], + "tags": [ + "Dataflow", + "Telemetry" ] } }, @@ -2644,6 +2672,10 @@ "languages": [ "C#", "Visual Basic" + ], + "tags": [ + "Dataflow", + "Telemetry" ] } }, @@ -3388,7 +3420,6 @@ "Visual Basic" ], "tags": [ - "Dataflow", "Telemetry" ] } @@ -3407,7 +3438,6 @@ "Visual Basic" ], "tags": [ - "Dataflow", "Telemetry" ] } @@ -3487,6 +3517,25 @@ "Telemetry" ] } + }, + "CA5390": { + "id": "CA5390", + "shortDescription": "Do Not Hard Code Encryption Key", + "fullDescription": "SymmetricAlgorithm's .Key property, or a method's rgbKey parameter, should never be a hardcoded value.", + "defaultLevel": "warning", + "properties": { + "category": "Security", + "isEnabledByDefault": true, + "typeName": "DoNotHardCodeEncryptionKey", + "languages": [ + "C#", + "Visual Basic" + ], + "tags": [ + "Dataflow", + "Telemetry" + ] + } } } }, diff --git a/src/Microsoft.NetCore.Analyzers/Microsoft.NetCore.Analyzers.md b/src/Microsoft.NetCore.Analyzers/Microsoft.NetCore.Analyzers.md index 5aa5a68096..24e1c942aa 100644 --- a/src/Microsoft.NetCore.Analyzers/Microsoft.NetCore.Analyzers.md +++ b/src/Microsoft.NetCore.Analyzers/Microsoft.NetCore.Analyzers.md @@ -93,3 +93,4 @@ Sr. No. | Rule ID | Title | Category | Enabled | CodeFix | Description | 90 | CA5387 | Do Not Use Weak Key Derivation Function With Insufficient Iteration Count | Security | False | False | When deriving cryptographic keys from user-provided inputs such as password, use sufficient iteration count (at least 100k). | 91 | CA5388 | Ensure Sufficient Iteration Count When Using Weak Key Derivation Function | Security | False | False | When deriving cryptographic keys from user-provided inputs such as password, use sufficient iteration count (at least 100k). | 92 | CA5389 | Do Not Add Archive Item's Path To The Target File System Path | Security | True | False | When extracting files from an archive and using the archive item's path, check if the path is safe. Archive path can be relative and can lead to file system access outside of the expected file system target path, leading to malicious config changes and remote code execution via lay-and-wait technique. | +93 | CA5390 | Do Not Hard Code Encryption Key | Security | True | False | SymmetricAlgorithm's .Key property, or a method's rgbKey parameter, should never be a hardcoded value. | diff --git a/src/Microsoft.NetCore.Analyzers/Microsoft.NetCore.Analyzers.sarif b/src/Microsoft.NetCore.Analyzers/Microsoft.NetCore.Analyzers.sarif index b8558b998c..2c5c2ab893 100644 --- a/src/Microsoft.NetCore.Analyzers/Microsoft.NetCore.Analyzers.sarif +++ b/src/Microsoft.NetCore.Analyzers/Microsoft.NetCore.Analyzers.sarif @@ -536,6 +536,10 @@ "languages": [ "C#", "Visual Basic" + ], + "tags": [ + "Dataflow", + "Telemetry" ] } }, @@ -552,6 +556,10 @@ "languages": [ "C#", "Visual Basic" + ], + "tags": [ + "Dataflow", + "Telemetry" ] } }, @@ -600,6 +608,10 @@ "languages": [ "C#", "Visual Basic" + ], + "tags": [ + "Dataflow", + "Telemetry" ] } }, @@ -616,6 +628,10 @@ "languages": [ "C#", "Visual Basic" + ], + "tags": [ + "Dataflow", + "Telemetry" ] } }, @@ -648,6 +664,10 @@ "languages": [ "C#", "Visual Basic" + ], + "tags": [ + "Dataflow", + "Telemetry" ] } }, @@ -664,6 +684,10 @@ "languages": [ "C#", "Visual Basic" + ], + "tags": [ + "Dataflow", + "Telemetry" ] } }, @@ -694,6 +718,10 @@ "languages": [ "C#", "Visual Basic" + ], + "tags": [ + "Dataflow", + "Telemetry" ] } }, @@ -709,6 +737,10 @@ "languages": [ "C#", "Visual Basic" + ], + "tags": [ + "Dataflow", + "Telemetry" ] } }, @@ -1453,7 +1485,6 @@ "Visual Basic" ], "tags": [ - "Dataflow", "Telemetry" ] } @@ -1472,7 +1503,6 @@ "Visual Basic" ], "tags": [ - "Dataflow", "Telemetry" ] } @@ -1552,6 +1582,25 @@ "Telemetry" ] } + }, + "CA5390": { + "id": "CA5390", + "shortDescription": "Do Not Hard Code Encryption Key", + "fullDescription": "SymmetricAlgorithm's .Key property, or a method's rgbKey parameter, should never be a hardcoded value.", + "defaultLevel": "warning", + "properties": { + "category": "Security", + "isEnabledByDefault": true, + "typeName": "DoNotHardCodeEncryptionKey", + "languages": [ + "C#", + "Visual Basic" + ], + "tags": [ + "Dataflow", + "Telemetry" + ] + } } } },