fix: clear the S2955 bug and suppress the deliberate 3DES vulnerabilities#193
fix: clear the S2955 bug and suppress the deliberate 3DES vulnerabilities#193blehnen wants to merge 1 commit into
Conversation
…ties - Guard.NotNull<T>: replace `value == null` (S2955 on an unconstrained generic) with ReferenceEquals(value, null). Behavior-identical — value types box to a non-null reference, a null Nullable<T> boxes to null — but avoids the == operator that trips the rule. No `where T : class` constraint (which cascaded across all callers when tried in #189). - TripleDesMessageInterceptor: SuppressMessage the two S5547 "strong cipher" vulnerabilities. 3DES is intentionally retained (the type is already [Obsolete]) so existing 3DES-encrypted messages stay decryptable; new code uses AesMessageInterceptor. Removing it is not an option, so the finding is accepted with justification in code. Takes the SonarCloud badge to 0 bugs and 0 vulnerabilities. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
📝 WalkthroughWalkthroughThis PR adds SuppressMessage attributes to suppress the S5547 security analyzer rule on the TripleDesMessageInterceptor's encryption/decryption methods, justified by backward compatibility needs, and updates Guard.NotNull to use ReferenceEquals instead of the equality operator for null checking. ChangesAnalyzer suppression and Guard null-check update
Estimated code review effort: 1 (Trivial) | ~3 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #193 +/- ##
=======================================
Coverage 87.40% 87.40%
=======================================
Files 1023 1023
Lines 33646 33646
Branches 2833 2833
=======================================
+ Hits 29408 29409 +1
+ Misses 3358 3357 -1
Partials 880 880 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|



Track 1 of the badge-reduction effort. Takes the public SonarCloud badge to 0 bugs and 0 vulnerabilities.
Bug — S2955 (
Guard.NotNull<T>)value == nullon an unconstrained genericTtrips S2955. Replaced withReferenceEquals(value, null):Tis never "null", as today), and a nullNullable<T>boxes to a null reference (so it still throws). Only genuine null references are caught.==operator the rule flags, without awhere T : classconstraint — that constraint cascaded across every unconstrained-generic caller when it was tried in Sonar Bucket C: reliability bugs + dispose-pattern (S1751/S4586/S3881) #189, so it was reverted then.Vulnerabilities — S5547 ×2 (
TripleDesMessageInterceptor)Both flag the
TripleDES.Create()calls as a weak cipher. This type is already[Obsolete]and retained only so existing 3DES-encrypted messages remain decryptable (new code usesAesMessageInterceptor). Removing 3DES would break decryption of previously-encrypted payloads, so the finding is accepted with justification in code via method-level[SuppressMessage]pointing at the deliberate retention.Verification
TripleDESInterceptorTest3/3 pass (encrypt/decrypt roundtrip, which also exercises theNotNullinput guard).Note: SonarCloud honors inline
[SuppressMessage]for its Roslyn-analyzer rules. If the two S5547 findings don't clear on the next master scan, the fallback is a one-click "Accept" in the SonarCloud UI — but no code change should be needed.🤖 Generated with Claude Code
Summary by CodeRabbit