Fix False Positives (#575)

Changelog.md

@@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.0.15] - 2023-07-31
+## Rules
+Fix false positives reported in #344, #548 and #549.
+
 ## [1.0.14] - 2023-07-27
 ### Fixes
 Fixes an issue handling IEnumerable arguments specified with the options-json argument to Analyze.

DevSkim-DotNet/Microsoft.DevSkim.CLI/Microsoft.DevSkim.CLI.csproj

@@ -37,7 +37,7 @@
     <ItemGroup>
       <PackageReference Include="CommandLineParser" Version="2.9.1" />
       <PackageReference Include="LibGit2Sharp" Version="0.27.2" />
-      <PackageReference Include="Microsoft.CST.ApplicationInspector.Logging" Version="1.9.8" />
+      <PackageReference Include="Microsoft.CST.ApplicationInspector.Logging" Version="1.9.9" />
       <PackageReference Include="Microsoft.Extensions.CommandLineUtils" Version="1.1.1" />
       <PackageReference Include="Sarif.Sdk" Version="4.3.0" />
     </ItemGroup>

DevSkim-DotNet/Microsoft.DevSkim.LanguageServer/Microsoft.DevSkim.LanguageServer.csproj

@@ -13,7 +13,7 @@
 
   <ItemGroup>
     <PackageReference Include="CommandLineParser" Version="2.9.1" />
-    <PackageReference Include="Microsoft.CST.ApplicationInspector.RulesEngine" Version="1.9.8" />
+    <PackageReference Include="Microsoft.CST.ApplicationInspector.RulesEngine" Version="1.9.9" />
     <PackageReference Include="Microsoft.Extensions.Logging" Version="7.0.0" />
     <PackageReference Include="OmniSharp.Extensions.LanguageServer" Version="0.19.7" />
     <PackageReference Include="Serilog.Extensions.Logging" Version="7.0.0" />

DevSkim-DotNet/Microsoft.DevSkim/Microsoft.DevSkim.csproj

@@ -24,7 +24,7 @@
   </ItemGroup>
 
     <ItemGroup>
-      <PackageReference Include="Microsoft.CST.ApplicationInspector.RulesEngine" Version="1.9.8" />
+      <PackageReference Include="Microsoft.CST.ApplicationInspector.RulesEngine" Version="1.9.9" />
       <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
     </ItemGroup>
 

rules/default/security/cryptography/protocol.json

@@ -125,14 +125,21 @@
                 ]
             },
             {
-                "pattern": "TLSv1",
-                "type": "string",
+                "pattern": "TLSv1(?!_[2-9])",
+                "type": "regex",
                 "scopes": [
                     "code"
                 ]
             },
             {
-                "pattern": "TLSv10",
+                "pattern": "TLSv1(0|_0)",
+                "type": "regex",
+                "scopes": [
+                    "code"
+                ]
+            },
+            {
+                "pattern": "TLSv1_1",
                 "type": "string",
                 "scopes": [
                     "code"
@@ -144,6 +151,10 @@
             "TLSv1",
             "TLSv10",
             "SSLv2_client"
+        ],
+        "must-not-match":[
+            "TLSv1_2",
+            "TLSv1_3"
         ]
     },
     {

rules/default/security/privacy/secrets.json

@@ -18,10 +18,25 @@
                 ]
             }
         ],
+        "conditions":[
+            {
+                "pattern" : 
+                {
+                    "pattern": "[assembly: InternalsVisibleTo",
+                    "type": "substring",
+                    "scopes": [
+                        "code"
+                    ]
+                },
+                "negate_finding": true,
+                "search_in": "same-line"
+            }
+        ],
         "must-match": [
             "var hash = \"121212121212121212121212121212\""
         ],
         "must-not-match": [
+            "[assembly: InternalsVisibleTo(\"Application.Tests, PublicKey=1234567890abcd\")]"
         ]
     },
     {