public Logger logger;+
private static readonly Logger logger;diff --git a/analyzers/rspec/cs/S1312.json b/analyzers/rspec/cs/S1312.json index 5c998c3853e..82c8c50df42 100644 --- a/analyzers/rspec/cs/S1312.json +++ b/analyzers/rspec/cs/S1312.json @@ -1,6 +1,12 @@ { "title": "Logger fields should be \"private static readonly\"", "type": "CODE_SMELL", + "code": { + "impacts": { + "MAINTAINABILITY": "LOW" + }, + "attribute": "CONVENTIONAL" + }, "status": "ready", "remediation": { "func": "Constant\/Issue", diff --git a/analyzers/rspec/cs/S1696.html b/analyzers/rspec/cs/S1696.html index d1c3f078589..d247b4234f2 100644 --- a/analyzers/rspec/cs/S1696.html +++ b/analyzers/rspec/cs/S1696.html @@ -39,6 +39,6 @@
With short salts, the probability of a collision between two users' passwords and salts couple might be low depending on the salt size. The shorter the salt, the higher the collision probability. In any case, using longer, cryptographically secure salt should be preferred.
+To securely store password hashes, it is a recommended to rely on key derivation functions that are computationally intensive. Examples of such +functions are:
+When they are used for password storage, using a secure, random salt is required.
+However, those functions can also be used for other purposes such as master key derivation or password-based pre-shared key generation. In those +cases, the implemented cryptographic protocol might require using a fixed salt to derive keys in a deterministic way. In such cases, using a fixed +salt is safe and accepted.
The following code contains examples of hard-coded salts.
@@ -43,7 +56,7 @@This code ensures that each user’s password has a unique salt value associated with it. It generates a salt randomly and with a length that -provides the required security level. It uses a salt length of at least 16 bytes (128 bits), as recommended by industry standards.
+provides the required security level. It uses a salt length of at least 32 bytes (256 bits), as recommended by industry standards.In the case of the code sample, the class automatically takes care of generating a secure salt if none is specified.
Using Trace.WriteLineIf with such properties should be avoided since it can lead to misinterpretation and produce confusion.
In particular, Trace.WriteLineIf may appear as equivalent to the level-specific tracing methods provided by Trace, such
as Trace.Error, but it is not.
-public void Method(TraceSwitch traceSwitch)
-{
- Trace.WriteIf(traceSwitch.TraceError, "Failed to log in!");
-}
-
-
-public void Method(bool condition)
-{
- Trace.WriteIf(condition, "Failed to log in!");
-}
-
+The difference is that Trace.WriteLineIf(switch.TraceError, …) conditionally writes the trace, based on the switch, whereas
+Trace.TraceError always writes the trace, no matter whether switch.TraceError is true or
+false.
Moreover, unlike Trace.TraceError, Trace.WriteLineIf(switch.TraceError, …) would behave like
+Trace.WriteLine(…) when switch.TraceError is true, writing unfiltered to the underlying trace listeners and
+not categorizing the log entry by level, as described more in detail in {rule:csharpsquid:S6670}.
The fix depends on the intent behind the use of TraceSwitch levels with How to fix it
Code examples
Noncompliant code example
-[Route(@"Something\[controller]")] // Noncompliant: Replace `\` with `/`.
+[Route(@"Something\[controller]")] // Noncompliant: Replace '\' with '/'.
public class HomeController : Controller
{
[HttpGet]
@@ -36,7 +36,7 @@
Noncompliant code example
Compliant solution
-[Route(@"Something/[controller]")] // `\` replaced with `/`
+[Route(@"Something/[controller]")] // '\' replaced with '/'
public class HomeController : Controller
{
[HttpGet]
@@ -47,13 +47,13 @@ Noncompliant code example
app.MapControllerRoute(
name: "default",
- pattern: "{controller=Home}\\{action=Index}"); // Noncompliant: Replace `\` with `/`.
+ pattern: "{controller=Home}\\{action=Index}"); // Noncompliant: Replace '\' with '/'.
Compliant solution
app.MapControllerRoute(
name: "default",
- pattern: "{controller=Home}/{action=Index}"); // `\` replaced with `/`
+ pattern: "{controller=Home}/{action=Index}"); // '\' replaced with '/'
Resources
Documentation
diff --git a/analyzers/rspec/vbnet/S2053.html b/analyzers/rspec/vbnet/S2053.html
index 0c12e1d3739..96412990479 100644
--- a/analyzers/rspec/vbnet/S2053.html
+++ b/analyzers/rspec/vbnet/S2053.html
@@ -19,6 +19,19 @@ What is the potential impact?
of password hashes with identical salt that can then be attacked as explained before.
With short salts, the probability of a collision between two users' passwords and salts couple might be low depending on the salt size. The shorter the salt, the higher the collision probability. In any case, using longer, cryptographically secure salt should be preferred.
+To securely store password hashes, it is a recommended to rely on key derivation functions that are computationally intensive. Examples of such +functions are:
+When they are used for password storage, using a secure, random salt is required.
+However, those functions can also be used for other purposes such as master key derivation or password-based pre-shared key generation. In those +cases, the implemented cryptographic protocol might require using a fixed salt to derive keys in a deterministic way. In such cases, using a fixed +salt is safe and accepted.
The following code contains examples of hard-coded salts.
@@ -41,7 +54,7 @@This code ensures that each user’s password has a unique salt value associated with it. It generates a salt randomly and with a length that -provides the required security level. It uses a salt length of at least 16 bytes (128 bits), as recommended by industry standards.
+provides the required security level. It uses a salt length of at least 32 bytes (256 bits), as recommended by industry standards.In the case of the code sample, the class automatically takes care of generating a secure salt if none is specified.
-<Route("Something\[controller]")> ' Noncompliant: Replace `\` with `/`.
+<Route("Something\[controller]")> ' Noncompliant: Replace '\' with '/'.
Public Class HomeController
Inherits Controller
@@ -39,7 +39,7 @@ Noncompliant code example
-<Route("Something/[controller]")> ' `\` replaced with `/`
+<Route("Something/[controller]")> ' '\' replaced with '/'
Public Class HomeController
Inherits Controller
@@ -53,13 +53,13 @@ Noncompliant code example
app.MapControllerRoute(
name:="default",
- pattern:="{controller=Home}\{action=Index}") ' Noncompliant: Replace `\` with `/`.
+ pattern:="{controller=Home}\{action=Index}") ' Noncompliant: Replace '\' with '/'.
Compliant solution
app.MapControllerRoute(
name:="default",
- pattern:="{controller=Home}/{action=Index}") ' `\` replaced with `/`
+ pattern:="{controller=Home}/{action=Index}") ' '\' replaced with '/'
Resources
Documentation
diff --git a/analyzers/src/SonarAnalyzer.CSharp/sonarpedia.json b/analyzers/src/SonarAnalyzer.CSharp/sonarpedia.json
index 7f89a06bc06..3b1c51d2b5d 100644
--- a/analyzers/src/SonarAnalyzer.CSharp/sonarpedia.json
+++ b/analyzers/src/SonarAnalyzer.CSharp/sonarpedia.json
@@ -3,7 +3,7 @@
"languages": [
"CSH"
],
- "latest-update": "2024-02-29T15:53:45.968501800Z",
+ "latest-update": "2024-03-15T12:11:31.487123200Z",
"options": {
"no-language-in-filenames": true
}
diff --git a/analyzers/src/SonarAnalyzer.VisualBasic/sonarpedia.json b/analyzers/src/SonarAnalyzer.VisualBasic/sonarpedia.json
index 45abc8bce5b..274bf247898 100644
--- a/analyzers/src/SonarAnalyzer.VisualBasic/sonarpedia.json
+++ b/analyzers/src/SonarAnalyzer.VisualBasic/sonarpedia.json
@@ -3,7 +3,7 @@
"languages": [
"VBNET"
],
- "latest-update": "2024-02-29T15:54:07.274928100Z",
+ "latest-update": "2024-03-15T12:11:49.495514500Z",
"options": {
"no-language-in-filenames": true
}