dotnet
diff --git a/‎azure-pipelines.yml‎
Lines changed: 1 addition & 1 deletion b/‎azure-pipelines.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/Microsoft.CodeAnalysis.FxCopAnalyzers/Microsoft.CodeAnalysis.FxCopAnalyzers.md‎
Lines changed: 7 additions & 4 deletions b/‎src/Microsoft.CodeAnalysis.FxCopAnalyzers/Microsoft.CodeAnalysis.FxCopAnalyzers.md‎
Lines changed: 7 additions & 4 deletions
diff --git a/‎src/Microsoft.CodeAnalysis.FxCopAnalyzers/Microsoft.CodeAnalysis.FxCopAnalyzers.sarif‎
Lines changed: 61 additions & 4 deletions b/‎src/Microsoft.CodeAnalysis.FxCopAnalyzers/Microsoft.CodeAnalysis.FxCopAnalyzers.sarif‎
Lines changed: 61 additions & 4 deletions
diff --git a/‎src/Microsoft.NetCore.Analyzers/Core/MicrosoftNetCoreAnalyzersResources.resx‎
Lines changed: 19 additions & 4 deletions b/‎src/Microsoft.NetCore.Analyzers/Core/MicrosoftNetCoreAnalyzersResources.resx‎
Lines changed: 19 additions & 4 deletions
@@ -28,7 +28,7 @@ jobs:
     - script: eng\common\cibuild.cmd -configuration $(_configuration) -prepareMachine
       displayName: Build and Test
 
-    - task: PublishTestResults@1
+    - task: PublishTestResults@2
       inputs:
         testRunner: XUnit
         testResultsFiles: '$(Build.SourcesDirectory)\artifacts\TestResults\$(_configuration)\*.xml'
 
@@ -191,15 +191,18 @@ Sr. No. | Rule ID | Title | Category | Enabled | CodeFix | Description |
 188 | CA5387 | Do Not Use Weak Key Derivation Function With Insufficient Iteration Count | Security | False | False | When deriving cryptographic keys from user-provided inputs such as password, use sufficient iteration count (at least 100k). |
 189 | CA5388 | Ensure Sufficient Iteration Count When Using Weak Key Derivation Function | Security | False | False | When deriving cryptographic keys from user-provided inputs such as password, use sufficient iteration count (at least 100k). |
 190 | [CA5389](https://docs.microsoft.com/visualstudio/code-quality/ca5389) | Do Not Add Archive Item's Path To The Target File System Path | Security | False | False | When extracting files from an archive and using the archive item's path, check if the path is safe. Archive path can be relative and can lead to file system access outside of the expected file system target path, leading to malicious config changes and remote code execution via lay-and-wait technique. |
-191 | CA5390 | Do Not Hard Code Encryption Key | Security | False | False | SymmetricAlgorithm's .Key property, or a method's rgbKey parameter, should never be a hardcoded value. |
+191 | CA5390 | Do not hard-code encryption key | Security | False | False | SymmetricAlgorithm's .Key property, or a method's rgbKey parameter, should never be a hard-coded value. |
 192 | CA5391 | Use antiforgery tokens in ASP.NET Core MVC controllers | Security | False | False | Handling a POST, PUT, PATCH, or DELETE request without validating an antiforgery token may be vulnerable to cross-site request forgery attacks. A cross-site request forgery attack can send malicious requests from an authenticated user to your ASP.NET Core MVC controller. |
 193 | CA5392 | Use DefaultDllImportSearchPaths attribute for P/Invokes | Security | False | False | By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to DLL hijacking. |
 194 | CA5393 | Do not use unsafe DllImportSearchPath value | Security | False | False | There could be a malicious DLL in the default DLL search directories. Or, depending on where your application is run from, there could be a malicious DLL in the application's directory. Use a DllImportSearchPath value that specifies an explicit search path instead. The DllImportSearchPath flags that this rule looks for can be configured in .editorconfig. |
-195 | CA5394 | Do not use insecure randomness | Security | False | False | {0} is an insecure random number generator. Use cryptographically secure random number generators when randomness is required for security |
+195 | CA5394 | Do not use insecure randomness | Security | False | False | Using a cryptographically weak pseudo-random number generator may allow an attacker to predict what security-sensitive value will be generated. Use a cryptographically strong random number generator if an unpredictable value is required, or ensure that weak pseudo-random numbers aren't used in a security-sensitive manner. |
 196 | CA5395 | Miss HttpVerb attribute for action methods | Security | False | False | All the methods that create, edit, delete, or otherwise modify data do so in the [HttpPost] overload of the method, which needs to be protected with the anti forgery attribute from request forgery. Performing a GET operation should be a safe operation that has no side effects and doesn't modify your persisted data. |
 197 | CA5396 | Set HttpOnly to true for HttpCookie | Security | False | False | As a defense in depth measure, ensure security sensitive HTTP cookies are marked as HttpOnly. This indicates web browsers should disallow scripts from accessing the cookies. Injected malicious scripts are a common way of stealing cookies. |
 198 | [CA5397](https://docs.microsoft.com/visualstudio/code-quality/ca5397) | Do not use deprecated SslProtocols values | Security | True | False | Older protocol versions of Transport Layer Security (TLS) are less secure than TLS 1.2 and TLS 1.3, and are more likely to have new vulnerabilities. Avoid older protocol versions to minimize risk. |
 199 | [CA5398](https://docs.microsoft.com/visualstudio/code-quality/ca5398) | Avoid hardcoded SslProtocols values | Security | False | False | Current Transport Layer Security protocol versions may become deprecated if vulnerabilities are found. Avoid hardcoding SslProtocols values to keep your application secure. Use 'None' to let the Operating System choose a version. |
-200 | CA5399 | Definitely disable HttpClient certificate revocation list check | Security | False | False | Using HttpClient without providing a platform specific handler (WinHttpHandler or CurlHandler or HttpClientHandler) where the CheckCertificateRevocationList property is set to true, will allow revoked certificates to be accepted by the HttpClient as valid. |
+200 | CA5399 | HttpClients should enable certificate revocation list checks | Security | False | False | Using HttpClient without providing a platform specific handler (WinHttpHandler or CurlHandler or HttpClientHandler) where the CheckCertificateRevocationList property is set to true, will allow revoked certificates to be accepted by the HttpClient as valid. |
 201 | CA5400 | Ensure HttpClient certificate revocation list check is not disabled | Security | False | False | Using HttpClient without providing a platform specific handler (WinHttpHandler or CurlHandler or HttpClientHandler) where the CheckCertificateRevocationList property is set to true, will allow revoked certificates to be accepted by the HttpClient as valid. |
-202 | CA9999 | Analyzer version mismatch | Reliability | True | False | Analyzers in this package require a certain minimum version of Microsoft.CodeAnalysis to execute correctly. Refer to https://docs.microsoft.com/visualstudio/code-quality/install-fxcop-analyzers#fxcopanalyzers-package-versions to install the correct analyzer version. |
+202 | CA5401 | Do not use CreateEncryptor with non-default IV | Security | False | False | Symmetric encryption should always use a non-repeatable initialization vector to prevent dictionary attacks. |
+203 | CA5402 | Use CreateEncryptor with the default IV  | Security | False | False | Symmetric encryption should always use a non-repeatable initialization vector to prevent dictionary attacks. |
+204 | CA5403 | Do not hard-code certificate | Security | False | False | Hard-coded certificates in source code are vulnerable to being exploited. |
+205 | CA9999 | Analyzer version mismatch | Reliability | True | False | Analyzers in this package require a certain minimum version of Microsoft.CodeAnalysis to execute correctly. Refer to https://docs.microsoft.com/visualstudio/code-quality/install-fxcop-analyzers#fxcopanalyzers-package-versions to install the correct analyzer version. |
@@ -3603,8 +3603,8 @@
         },
         "CA5390": {
           "id": "CA5390",
-          "shortDescription": "Do Not Hard Code Encryption Key",
-          "fullDescription": "SymmetricAlgorithm's .Key property, or a method's rgbKey parameter, should never be a hardcoded value.",
+          "shortDescription": "Do not hard-code encryption key",
+          "fullDescription": "SymmetricAlgorithm's .Key property, or a method's rgbKey parameter, should never be a hard-coded value.",
           "defaultLevel": "warning",
           "properties": {
             "category": "Security",
@@ -3677,7 +3677,7 @@
         "CA5394": {
           "id": "CA5394",
           "shortDescription": "Do not use insecure randomness",
-          "fullDescription": "{0} is an insecure random number generator. Use cryptographically secure random number generators when randomness is required for security",
+          "fullDescription": "Using a cryptographically weak pseudo-random number generator may allow an attacker to predict what security-sensitive value will be generated. Use a cryptographically strong random number generator if an unpredictable value is required, or ensure that weak pseudo-random numbers aren't used in a security-sensitive manner.",
           "defaultLevel": "warning",
           "properties": {
             "category": "Security",
@@ -3769,7 +3769,7 @@
         },
         "CA5399": {
           "id": "CA5399",
-          "shortDescription": "Definitely disable HttpClient certificate revocation list check",
+          "shortDescription": "HttpClients should enable certificate revocation list checks",
           "fullDescription": "Using HttpClient without providing a platform specific handler (WinHttpHandler or CurlHandler or HttpClientHandler) where the CheckCertificateRevocationList property is set to true, will allow revoked certificates to be accepted by the HttpClient as valid.",
           "defaultLevel": "warning",
           "properties": {
@@ -3804,6 +3804,63 @@
               "Telemetry"
             ]
           }
+        },
+        "CA5401": {
+          "id": "CA5401",
+          "shortDescription": "Do not use CreateEncryptor with non-default IV",
+          "fullDescription": "Symmetric encryption should always use a non-repeatable initialization vector to prevent dictionary attacks.",
+          "defaultLevel": "warning",
+          "properties": {
+            "category": "Security",
+            "isEnabledByDefault": false,
+            "typeName": "DoNotUseCreateEncryptorWithNonDefaultIV",
+            "languages": [
+              "C#",
+              "Visual Basic"
+            ],
+            "tags": [
+              "Dataflow",
+              "Telemetry"
+            ]
+          }
+        },
+        "CA5402": {
+          "id": "CA5402",
+          "shortDescription": "Use CreateEncryptor with the default IV ",
+          "fullDescription": "Symmetric encryption should always use a non-repeatable initialization vector to prevent dictionary attacks.",
+          "defaultLevel": "warning",
+          "properties": {
+            "category": "Security",
+            "isEnabledByDefault": false,
+            "typeName": "DoNotUseCreateEncryptorWithNonDefaultIV",
+            "languages": [
+              "C#",
+              "Visual Basic"
+            ],
+            "tags": [
+              "Dataflow",
+              "Telemetry"
+            ]
+          }
+        },
+        "CA5403": {
+          "id": "CA5403",
+          "shortDescription": "Do not hard-code certificate",
+          "fullDescription": "Hard-coded certificates in source code are vulnerable to being exploited.",
+          "defaultLevel": "warning",
+          "properties": {
+            "category": "Security",
+            "isEnabledByDefault": false,
+            "typeName": "DoNotHardCodeCertificate",
+            "languages": [
+              "C#",
+              "Visual Basic"
+            ],
+            "tags": [
+              "Dataflow",
+              "Telemetry"
+            ]
+          }
         }
       }
     },
 
@@ -1119,11 +1119,11 @@
   <data name="DoNotUseInsecureRandomness" xml:space="preserve">
     <value>Do not use insecure randomness</value>
   </data>
-  <data name="DoNotUseInsecureRandomnessDescription" xml:space="preserve">
+  <data name="DoNotUseInsecureRandomnessMessage" xml:space="preserve">
     <value>{0} is an insecure random number generator. Use cryptographically secure random number generators when randomness is required for security</value>
   </data>
-  <data name="DoNotUseInsecureRandomnessMessage" xml:space="preserve">
-    <value>Using a cryptographically weak pseudo-random number generator may allow an attacker to predict what security sensitive value will be generated. Use a cryptographically strong random number generator if an unpredictable value is required, or ensure that weak pseudo-random numbers aren't used in a security sensitive manner.</value>
+  <data name="DoNotUseInsecureRandomnessDescription" xml:space="preserve">
+    <value>Using a cryptographically weak pseudo-random number generator may allow an attacker to predict what security-sensitive value will be generated. Use a cryptographically strong random number generator if an unpredictable value is required, or ensure that weak pseudo-random numbers aren't used in a security-sensitive manner.</value>
   </data>
   <data name="DoNotUseCountAsyncWhenAnyAsyncCanBeUsedDescription" xml:space="preserve">
     <value>For non-empty collections, CountAsync() and LongCountAsync() enumerate the entire sequence, while AnyAsync() stops at the first item or the first item that satisfies a condition.</value>
@@ -1174,7 +1174,7 @@
     <value>All the methods that create, edit, delete, or otherwise modify data do so in the [HttpPost] overload of the method, which needs to be protected with the anti forgery attribute from request forgery. Performing a GET operation should be a safe operation that has no side effects and doesn't modify your persisted data.</value>
   </data>
   <data name="DefinitelyDisableHttpClientCRLCheck" xml:space="preserve">
-    <value>Definitely disable HttpClient certificate revocation list check</value>
+    <value>HttpClients should enable certificate revocation list checks</value>
   </data>
   <data name="DefinitelyDisableHttpClientCRLCheckMessage" xml:space="preserve">
     <value>HttpClient is created without enabling CheckCertificateRevocationList</value>
@@ -1197,4 +1197,19 @@
   <data name="DoNotHardCodeCertificateMessage" xml:space="preserve">
     <value>Potential security vulnerability was found where '{0}' in method '{1}' may be tainted by hard-coded certificate from '{2}' in method '{3}'</value>
   </data>
+  <data name="DefinitelyUseCreateEncryptorWithNonDefaultIV" xml:space="preserve">
+    <value>Do not use CreateEncryptor with non-default IV</value>
+  </data>
+  <data name="DefinitelyUseCreateEncryptorWithNonDefaultIVMessage" xml:space="preserve">
+    <value>Symmetric encryption uses non-default initialization vector, which could be potentially repeatable</value>
+  </data>
+  <data name="MaybeUseCreateEncryptorWithNonDefaultIV" xml:space="preserve">
+    <value>Use CreateEncryptor with the default IV </value>
+  </data>
+  <data name="MaybeUseCreateEncryptorWithNonDefaultIVMessage" xml:space="preserve">
+    <value>The non-default initialization vector, which can be potentially repeatable, is used in the encrypion. Ensure use the default one.</value>
+  </data>
+  <data name="DoNotUseCreateEncryptorWithNonDefaultIVDescription" xml:space="preserve">
+    <value>Symmetric encryption should always use a non-repeatable initialization vector to prevent dictionary attacks.</value>
+  </data>
 </root>