CSHARP.INSEC.MDSS : Method Disables Security Setting (C#)

要旨

A safe security setting seems disabled.

• It should be avoided a mismatch of security annotations between code elements of larger scope to elements of smaller scope. The security annotations of the element with the larger scope always wins.
• Certifications should not be added to the operating system's trusted root, as it can lead to accept untrusted certification authority.
• It should be never acceptable to disable security protocols or not to use a strong cryptography. Anyway, this can be done by calling the method AppContext.SetSwitch() and setting Switch.System.Net.DontEnableSchUseStrongCrypto to true or by setting Switch.System.ServiceModel.DisableUsingServicePointManagerSecurityProtocols to true.

プロパティ

WARNING_FILTER += allow class="Method Disables Security Setting (C#)"

例

using System;

namespace UnsafeCryptographySettings
{
    public class CryptographySettings
    { 
        public void UnsafeSecurityProtocols() 
        {
           AppContext.SetSwitch("Switch.System.ServiceModel.DisableUsingServicePointManagerSecurityProtocols", true); // "Method Disables Security Setting (C#)" warning issued here
        }  
        
        public void DisableStrongCrypto()
        {        
           AppContext.SetSwitch("Switch.System.Net.DontEnableSchUseStrongCrypto", true);                              // "Method Disables Security Setting (C#)" warning issued here
        }      
    }
}

解決法

Parameterize it in a configuration file.

Use safer protocols.

関連のある設定ファイルパラメータ

設定ファイルの以下のパラメータがこのワーニングクラスのチェックに影響します。

• CSHARP_ANALYSIS_MERGE_CREATION_POINTS
• REPORT_SIMILAR_WARNINGS
• WARNING_FILTER