bc-csharp icon indicating copy to clipboard operation
bc-csharp copied to clipboard

Published 20 hours ago verified publisher icon novotnyllc

Veracode scan identified multiple security flaws

Open bchornii opened this issue 1 year ago • 0 comments

Our team is using MailKit & MimeKit libraries to send emails, but they in turn depend on Portable.BouncyCastle 1.9.0 which shows under dependencies bouncycastle.crypto.dll. Veracode scan identified several security flaws inside of it and it would be great if you can comment on them: shall we treat them as false positives or it's something you're working on to fix ?

3823  medium Likely 73  External Control of File Name or Path 3/13/2023 9:14 AM EDT bouncycastle.crypto.dll void Main(string[]): 18% 1 Path Open None
3826  medium Unlikely 331  Insufficient Entropy 3/13/2023 9:14 AM EDT bouncycastle.crypto.dll void !ctor(int, System.Random): 54% 1 Path Open None
3829  medium Likely 259  Use of Hard-coded Password 3/13/2023 9:14 AM EDT bouncycastle.crypto.dll void !cctor(): 45% 1 Path Open None
3828   medium Unlikely 331  Insufficient Entropy 3/13/2023 9:14 AM EDT bouncycastle.crypto.dll void !ctor(int, int, System.Random): 46% 1 Path Open None
3827  medium Unlikely 331  Insufficient Entropy 3/13/2023 9:14 AM EDT bouncycastle.crypto.dll void !ctor(int, int, System.Random): 20% 1 Path Open None
3824  informational Neutral 404  Improper Resource Shutdown or Release 3/13/2023 9:14 AM EDT bouncycastle.crypto.dll void !ctor(Cms.CmsSignedData): 34% 1 Path Open None
3825  informational Neutral 404  Improper Resource Shutdown or Release 3/13/2023 9:14 AM EDT bouncycastle.crypto.dll void Encode(System.IO.Stream): 16% 1 Path Open None
3830  informational Neutral 404  Improper Resource Shutdown or Release 3/13/2023 9:14 AM EDT bouncycastle.crypto.dll Builder SetServerExtensions(System.Collections.IDictionary): 43% 1 Path Open None
3831   informational Neutral 404  Improper Resource Shutdown or Release 3/13/2023 9:14 AM EDT bouncycastle.crypto.dll void HandleHandshakeMessage(short, HandshakeMessageInput): 40% 1 Path Open None
3832  informational Neutral 404  Improper Resource Shutdown or Release 3/13/2023 9:14 AM EDT bouncycastle.crypto.dll TlsAuthentication ReceiveServerCertificate(TlsClientContext, TlsClient, System.IO.MemoryStream): 20% 1 Path Open None
3833   informational Neutral 404  Improper Resource Shutdown or Release 3/13/2023 9:14 AM EDT bouncycastle.crypto.dll void !ctor(Engines.IesEngine): 15% 1 Path Open None
3834  informational Neutral 404  Improper Resource Shutdown or Release 3/13/2023 9:14 AM EDT bouncycastle.crypto.dll void Encode(System.IO.Stream): 16% 1 Path Open None
3835  informational Neutral 404  Improper Resource Shutdown or Release 3/13/2023 9:14 AM EDT bouncycastle.crypto.dll Builder SetServerExtensions(System.Collections.IDictionary): 30% 1 Path Open None
3836   informational Neutral 404  Improper Resource Shutdown or Release 3/13/2023 9:14 AM EDT bouncycastle.crypto.dll void WriteExtensions(System.IO.Stream, System.Collections.IDictionary): 0% 1 Path Open None
3837  informational Neutral 404  Improper Resource Shutdown or Release 3/13/2023 9:14 AM EDT bouncycastle.crypto.dll void !ctor(IBlockCipher): 6% 1 Path Open None
3838   informational Neutral 404  Improper Resource Shutdown or Release 3/13/2023 9:14 AM EDT bouncycastle.crypto.dll void !ctor(IBlockCipher): 17% 1 Path Open None
3839   informational Neutral 404  Improper Resource Shutdown or Release 3/13/2023 9:14 AM EDT bouncycastle.crypto.dll string EncodeData(byte[]): 35% 1 Path Open None
3840  informational Neutral 404  Improper Resource Shutdown or Release 3/13/2023 9:14 AM EDT bouncycastle.crypto.dll void !ctor(): 33% 1 Path Open None
3841  informational Neutral 404  Improper Resource Shutdown or Release 3/13/2023 9:14 AM EDT bouncycastle.crypto.dll void !ctor(BcpgInputStream): 92% 1 Path Open None
3842   informational Neutral 404  Improper Resource Shutdown or Release 3/13/2023 9:14 AM EDT bouncycastle.crypto.dll void !ctor(BcpgInputStream): 13% 1 Path Open None
3843   informational Neutral 404  Improper Resource Shutdown or Release 3/13/2023 9:14 AM EDT bouncycastle.crypto.dll void !ctor(PgpPrivateKey, PgpPublicKey, SymmetricKeyAlgorithmTag, byte[], bool, bool, Security.SecureRandom, bool): 39% 1 Path Open None
3844   informational Neutral 404  Improper Resource Shutdown or Release 3/13/2023 9:14 AM EDT bouncycastle.crypto.dll PgpSignature Generate(): 20% 1 Path Open None
3845  informational Neutral 404  Improper Resource Shutdown or Release 3/13/2023 9:14 AM EDT bouncycastle.crypto.dll void !ctor(int, Asn1EncodableVector): 20% 1 Path Open None
3846  informational Neutral 404  Improper Resource Shutdown or Release 3/13/2023 9:14 AM EDT bouncycastle.crypto.dll void Encode(Asn1OutputStream, bool): 0% 1 Path Open None
3847  informational Neutral 404  Improper Resource Shutdown or Release 3/13/2023 9:14 AM EDT bouncycastle.crypto.dll void Encode(Asn1OutputStream, bool): 26% 1 Path Open None
3848  informational Neutral 404  Improper Resource Shutdown or Release 3/13/2023 9:14 AM EDT bouncycastle.crypto.dll void !ctor(System.IO.Stream): 31% 1 Path Open None
3849  informational Neutral 404  Improper Resource Shutdown or Release 3/13/2023 9:14 AM EDT bouncycastle.crypto.dll void !ctor(System.IO.Stream, int, bool): 28% 1 Path Open None
3850  informational Neutral 404  Improper Resource Shutdown or Release 3/13/2023 9:14 AM EDT bouncycastle.crypto.dll void Encode(Asn1OutputStream, bool): 26% 1 Path Open None
3851  informational Neutral 404  Improper Resource Shutdown or Release 3/13/2023 9:14 AM EDT bouncycastle.crypto.dll void !ctor(System.IO.Stream): 31% 1 Path Open None
3852   informational Neutral 404  Improper Resource Shutdown or Release 3/13/2023 9:14 AM EDT bouncycastle.crypto.dll void !ctor(System.IO.Stream, int, bool): 28% 1 Path Open None

bchornii avatar Mar 13 '23 17:03 bchornii