Fix S4790 FN: New HashData overloads not recognized

[jilles-sg]

Description

Rule S4790 reports the use of obsolete cryptographic hash algorithms such as SHA1. It catches things like HashAlgorithm.Create("SHA1") and SHA1.Create(). However, at least some of the static HashData methods added by .NET 5 are not caught.

Repro steps

using System.Security.Cryptography;

byte[] data = { 1, 2, 3, 4 };
Span<byte> hash = stackalloc byte[20];
SHA1.HashData(data, destination: hash);
Console.WriteLine($"hash[0] = {hash[0]}");

This example doesn't really motivate the use of the span-based overload, but suppose the hash needs to be combined with other data into a larger message.

Expected behavior

Rule S4790 warns about an obsolete hash algorithm.

Actual behavior

No warning.

Known workarounds

• Accept the risk of weak cryptography.
• Accept unnecessary allocations by using hash algorithm objects and arrays containing hashes.

Related information

• C#/VB.NET Plugins version: csharp version 9.19.0.84025
• Visual Studio version: 2022
• MSBuild / dotnet version: .NET 6.0
• SonarScanner for .NET version (if used): SonarScanner for MSBuild 5.14 (.NET Core) with SonarCloud
• Operating System: Windows 10.0.14393

[gregory-paidis-sonarsource]

Hey there! Thanks for reporting this, I confirm it is indeed an FN. I added a reproducer to keep track of it.

[pierre-loup-tristant-sonarsource]

This FN was also reported by a prospect https://discuss.sonarsource.com/t/rspec-2077-rspec-4790-false-negatives/20022