sebastienros
commented
5 months ago Did it show up automatically from a build step verification?
Closed GrabYourPitchforks closed 5 months ago
sebastienros
commented
5 months ago Did it show up automatically from a build step verification?
GrabYourPitchforks
commented
5 months ago Did it show up automatically from a build step verification?
Yes, we're experimenting with new static analyzers.
The repo's shipping code makes use of banned cryptographic algorithms MD5 and SHA1. For example:
https://github.com/dotnet/crank/blob/ee7af46701b96864c6cc055b525c681304258cc0/src/Microsoft.Crank.Agent/Startup.cs#L3405
https://github.com/dotnet/crank/blob/ee7af46701b96864c6cc055b525c681304258cc0/src/Microsoft.Crank.Controller/Program.cs#L2238
MD5 and SHA1 are banned in production code even when used for non-cryptographic purposes. Test code is not subject to this requirement.
If cryptographic algorithms are required, use SHA2-256 or greater. If cryptographic algorithms are not required, consider using a non-cryptographic hash algorithm like xxHash3, available via https://www.nuget.org/packages/System.IO.Hashing/8.0.0.