Skip to content

Suppress credscan false positives #38026

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
aik-jahoda merged 11 commits into from
Jul 23, 2020
Merged

Suppress credscan false positives #38026

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
5cded92
Suppress initial cred issues
Jun 17, 2020
fac0d23
Another bunch of supresses
Jun 18, 2020
e838ec3
Clean up
Jun 18, 2020
c371aae
Another bunch of supresses
Jun 25, 2020
3d177ee
Merge remote-tracking branch 'upstream/master' into jajahoda/credscan1
Jul 15, 2020
186991e
Revert to suppression messages
Jul 15, 2020
24846a5
Clean up
Jul 15, 2020
3fe5e24
Apply suggestions from code review
aik-jahoda Jul 16, 2020
921d9f0
Revert passwords literals
Jul 17, 2020
b2fe3e2
Fix suppression justification comment
Jul 22, 2020
7332f66
Merge remote-tracking branch 'upstream/master' into jajahoda/credscan1
Jul 23, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
115 changes: 68 additions & 47 deletions .config/CredScanSuppressions.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,49 +1,70 @@
{
"tool": "Credential Scanner",
"suppressions": [
{
"file": [
"/eng/common/internal-feed-operations.ps1",
"/eng/common/internal-feed-operations.sh",
"/src/libraries/Common/src/Interop/Windows/WinHttp/Interop.winhttp_types.cs",
"/src/libraries/Common/src/System/Security/Cryptography/EccSecurityTransforms.cs",
"/src/libraries/Common/tests/System/Net/Configuration.Certificates.cs",
"/src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.Authentication.cs",
"/src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.cs",
"/src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.DefaultProxyCredentials.cs",
"/src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.Proxy.cs",
"/src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.ServerCertificates.cs",
"/src/libraries/Common/tests/System/Net/Http/PostScenarioTest.cs",
"/src/libraries/Common/tests/System/Net/Prerequisites/Deployment/setup_certificates.ps1",
"/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/EC/ECKeyFileTests.cs",
"/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/EC/ECKeyFileTests.LimitedPrivate.cs",
"/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/RSAKeyFileTests.cs",
"/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/RSAKeyPemTests.cs",
"/src/libraries/System.Data.Common/tests/System/Data/Common/DbConnectionStringBuilderTest.cs",
"/src/libraries/System.Diagnostics.Process/tests/ProcessStartInfoTests.cs",
"/src/libraries/System.DirectoryServices.AccountManagement/src/System/DirectoryServices/AccountManagement/constants.cs",
"/src/libraries/System.DirectoryServices.AccountManagement/tests/PrincipalTest.cs",
"/src/libraries/System.DirectoryServices.AccountManagement/tests/UserPrincipalTest.cs",
"/src/libraries/System.Net.Http/tests/FunctionalTests/SocketsHttpHandlerTest.cs",
"/src/libraries/System.Net.Http/tests/UnitTests/DigestAuthenticationTests.cs",
"/src/libraries/System.Net.Http/tests/UnitTests/HttpEnvironmentProxyTest.cs",
"/src/libraries/System.Net.Mail/tests/Functional/SmtpClientTest.cs",
"/src/libraries/System.Net.Requests/src/System/Net/FtpControlStream.cs",
"/src/libraries/System.Net.Requests/src/System/Net/FtpWebRequest.cs",
"/src/libraries/System.Net.WebSockets.Client/tests/ConnectTest.cs",
"/src/libraries/System.Private.Uri/tests/ExtendedFunctionalTests/UriRelativeResolutionTest.cs",
"/src/libraries/System.Private.Uri/tests/FunctionalTests/UriBuilderRefreshTest.cs",
"/src/libraries/System.Private.Uri/tests/FunctionalTests/UriBuilderTests.cs",
"/src/libraries/System.Private.Uri/tests/FunctionalTests/UriRelativeResolutionTest.cs",
"/src/libraries/System.Runtime/tests/System/Uri.CreateStringTests.cs",
"/src/libraries/System.Security.Cryptography.Algorithms/tests/Rfc2898Tests.cs",
"/src/libraries/System.Security.Cryptography.Pkcs/tests/Pkcs12/Pkcs12Documents.cs",
"/src/libraries/System.Security.Cryptography.X509Certificates/tests/ExportTests.cs",
"/src/libraries/System.Security.Cryptography.Xml/tests/EncryptedXmlTest.cs",
"/src/libraries/System.Security.Cryptography.Xml/tests/SignedXmlTest.cs",
"/src/libraries/System.Security.Cryptography.Xml/tests/TestHelpers.cs"
],
"_justification": "Mostly test files. Other files contain harmless examples or constants."
},
]
"tool": "Credential Scanner",
"suppressions": [
{
"_justification": "Unit test containing connection strings under the test.",
"file": [
"src/libraries/System.Data.Common/tests/System/Data/Common/DbConnectionStringBuilderTest.cs"
]
},
{
"_justification": "Private key for testing purpose.",
"file": [
"src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/DSA/DSAKeyPemTests.cs",
"src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/EC/ECKeyPemTests.cs",
"src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/RSAKeyPemTests.cs",
"src/libraries/System.Security.Cryptography.X509Certificates/tests/TestData.cs"
],
"placeholder": [
"-----BEGIN PRIVATE KEY-----",
"-----BEGIN * PRIVATE KEY-----"
]
},
{
"_justification": "Test credential for Uri testing",
"file": [
"src/libraries/System.Net.Http/tests/UnitTests/HttpEnvironmentProxyTest.cs",
"src/libraries/System.Private.Uri/tests/ExtendedFunctionalTests/UriRelativeResolutionTest.cs",
"src/libraries/System.Private.Uri/tests/FunctionalTests/UriBuilderRefreshTest.cs",
"src/libraries/System.Private.Uri/tests/FunctionalTests/UriBuilderTests.cs",
"src/libraries/System.Private.Uri/tests/FunctionalTests/UriRelativeResolutionTest.cs",
"src/libraries/System.Runtime/tests/System/Uri.CreateStringTests.cs"
],
"placeholder": [
"//*:;&$=123USERINFO@",
"//*:bar@",
"//*:bar1@",
"//*:password1@",
"//*:psw@",
"//*:userinfo2@"
]
},
{
"_justification": "Generic test password.",
"file": [
"src/libraries/Common/tests/System/Net/Configuration.Certificates.cs",
"src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.Authentication.cs",
"src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.cs",
"src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.DefaultProxyCredentials.cs",
"src/libraries/Common/tests/System/Net/Http/PostScenarioTest.cs",
"src/libraries/Common/tests/System/Net/Prerequisites/Deployment/setup_certificates.ps1",
"src/libraries/System.Net.Http/tests/FunctionalTests/SocketsHttpHandlerTest.cs",
"src/libraries/System.Net.Http/tests/UnitTests/DigestAuthenticationTests.cs",
"src/libraries/System.Net.Http/tests/UnitTests/HttpEnvironmentProxyTest.cs",
"src/libraries/System.Net.Mail/tests/Functional/SmtpClientTest.cs",
"src/libraries/System.Security.Cryptography.Xml/tests/SignedXmlTest.cs",
"src/libraries/System.Security.Cryptography.Xml/tests/TestHelpers.cs"
],
"placeholder": [
"\"anotherpassword\"",
"\"bar\"",
"\"mono\"",
"\"password1\"",
"\"rightpassword\"",
"\"testcertificate\"",
"\"unused\"",
"\"wrongpassword\""
]
}
]
}
2 changes: 2 additions & 0 deletions src/libraries/Common/src/Interop/Windows/WinHttp/Interop.winhttp_types.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -129,8 +129,10 @@ internal partial class WinHttp
public const uint WINHTTP_AUTH_TARGET_PROXY = 0x00000001;

public const uint WINHTTP_OPTION_USERNAME = 0x1000;
// [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="It is property descriptor, not secret value.")]
public const uint WINHTTP_OPTION_PASSWORD = 0x1001;
public const uint WINHTTP_OPTION_PROXY_USERNAME = 0x1002;
// [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="It is property descriptor, not secret value.")]
Copy link
Member

@stephentoub stephentoub Jul 13, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are these commented out? Shouldn't they either be deleted or uncommented? Or does the tooling pay attention to commented out SuppressMessage attributes?

Copy link
Contributor Author

@aik-jahoda aik-jahoda Jul 14, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, it is official way how to suppress report for the next line.

Copy link
Member

@danmoseley danmoseley Jul 15, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder how we will remember to not remove these as dead code! Would this also be recognized?

// [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="It is property descriptor, not secret value.")]      // Commented line recognized by credscan tool

?

Copy link
Member

@stephentoub stephentoub Jul 15, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My preference would be actually running the analyzer in dotnet/runtime.

Copy link
Member

@danmoseley danmoseley Jul 15, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you clarify, I thought that's what @aik-jahoda is doing.

Copy link
Member

@stephentoub stephentoub Jul 15, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very few direct check-ins are made to the private mirror. It makes no sense to me to run analyzers over that source that we don't also run as part of the public repo, where 99.999% of all commits come from. Doing that only causes additional dev work and headaches, and it's caused problems as well, where mirroring fails because the already merged commits then fail the subsequent pre-merge validation. This also isn't a one-time thing; PRs like this have been submitted at multiple times in the past in order to mop up from such analyzers that are being run late. And to your question about not deleting code as dead/stale, this exact mechanism would address that. So I don't understand the concerns or pushbavk. It seems like a no brainer to me. What am I not comprehending?

Not all files are in the build

And what percentage of the changes in this PR are to such files? I'm not saying it would prevent all possible problems. You're saying it's useless if it's not 100% false negatives? I highly doubt the existing tooling even gets close to that.

Copy link
Member

@ManickaP ManickaP Jul 15, 2020
edited by danmoseley
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just info about the tool and public PRs, it cannot be run out in the open: dotnet/arcade#4663

But there's an open issue https://github.com/dotnet/core-eng/issues/5747 about running it on public PRs.

Though I'm not what it will be good for without the results 🤣

Copy link
Member

@stephentoub stephentoub Jul 15, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. I don't buy the answer in that issue, though. We run analyzers that validate, for example, SHA1 isn't being used, and that's an "SDL static verification tool".

Copy link
Contributor Author

@aik-jahoda aik-jahoda Jul 20, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@danmosemsft, are you ok to merge this PR? I think we currently don't have a better option how to suppress the bugs reported by the tool.

Copy link
Member

@bartonjs bartonjs Jul 20, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The changes look OK to me, modulo the large conceptual problem of how there's a gap between checkins and analysis. I'm withholding a checkmark to let @danmosemsft decide if we want to block this on the conceptual problem or not.

public const uint WINHTTP_OPTION_PROXY_PASSWORD = 0x1003;

public const uint WINHTTP_OPTION_SERVER_SPN_USED = 106;
Expand Down
4 changes: 2 additions & 2 deletions src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.Proxy.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -261,8 +261,8 @@ public async Task Proxy_SendSecureRequestThruProxy_ConnectTunnelUsed()
[ConditionalFact(typeof(PlatformDetection), nameof(PlatformDetection.IsNotWindowsNanoServer))]
public async Task ProxyAuth_Digest_Succeeds()
{
const string expectedUsername = "testusername";
const string expectedPassword = "testpassword";
const string expectedUsername = "user";
const string expectedPassword = "password";
const string authHeader = "Proxy-Authenticate: Digest realm=\"NetCore\", nonce=\"PwOnWgAAAAAAjnbW438AAJSQi1kAAAAA\", qop=\"auth\", stale=false\r\n";
LoopbackServer.Options options = new LoopbackServer.Options { IsProxy = true, Username = expectedUsername, Password = expectedPassword };
var proxyCreds = new NetworkCredential(expectedUsername, expectedPassword);
Expand Down
2 changes: 1 addition & 1 deletion src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.ServerCertificates.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -108,7 +108,7 @@ public async Task UseCallback_HaveCredsAndUseAuthenticatedCustomProxyAndPostToSe
handler.ServerCertificateCustomValidationCallback = TestHelper.AllowAllCertificates;
handler.Proxy = new WebProxy(proxyServer.Uri)
{
Credentials = new NetworkCredential("rightusername", "rightpassword")
Credentials = new NetworkCredential("user", "password")
};

const string content = "This is a test";
Expand Down
1 change: 1 addition & 0 deletions src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1004,6 +1004,7 @@ await LoopbackServer.CreateClientAndServerAsync(async uri =>
$"Accept-Patch:{fold} text/example;charset=utf-8{newline}" +
$"Accept-Ranges:{fold} bytes{newline}" +
$"Age: {fold}12{newline}" +
// [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Unit test dummy authorization.")]
$"Authorization: Bearer 63123a47139a49829bcd8d03005ca9d7{newline}" +
$"Allow: {fold}GET, HEAD{newline}" +
$"Alt-Svc:{fold} http/1.1=\"http2.example.com:8001\"; ma=7200{newline}" +
Expand Down
1 change: 1 addition & 0 deletions ...s/Common/tests/System/Security/Cryptography/AlgorithmImplementations/EC/ECKeyFileTests.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -176,6 +176,7 @@ public void ReadNistP521EncryptedPkcs8_Pbes2_Aes128_Sha384()
public void ReadNistP521EncryptedPkcs8_Pbes2_Aes128_Sha384_PasswordBytes()
{
// PBES2, PBKDF2 (SHA384), AES128
// [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Unit test key.")]
const string base64 = @"
MIIBXTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQI/JyXWyp/t3kCAggA
MAwGCCqGSIb3DQIKBQAwHQYJYIZIAWUDBAECBBA3H8mbFK5afB5GzIemCCQkBIIB
Expand Down
3 changes: 3 additions & 0 deletions ...Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/RSAKeyFileTests.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -763,6 +763,7 @@ public static void ReadPbes2Rc2EncryptedDiminishedDP()
public static void ReadPbes2Rc2EncryptedDiminishedDP_PasswordBytes()
{
// PBES2: PBKDF2 + RC2-128
// [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Unit test key.")]
const string base64 = @"
MIIBrjBIBgkqhkiG9w0BBQ0wOzAeBgkqhkiG9w0BBQwwEQQIKZEFT76zCFECAggA
AgEQMBkGCCqGSIb3DQMCMA0CAToECE1Yyzk6++IPBIIBYDDvaYLkET8eudcYLQMf
Expand All @@ -788,6 +789,7 @@ public static void ReadPbes2Rc2EncryptedDiminishedDP_PasswordBytes()
[Fact]
public static void ReadEncryptedDiminishedDP_EmptyPassword()
{
// [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Unit test key.")]
const string base64 = @"
MIIBgTAbBgkqhkiG9w0BBQMwDgQIJtjMez/9Gg4CAggABIIBYElq9UOOphEPU3b7
G/mV8M1uEdjigidMPih3b9IIJhrjMAEix2IjS+brFL7KRQgucpZZoaFU1utvkUHg
Expand All @@ -812,6 +814,7 @@ public static void ReadEncryptedDiminishedDP_EmptyPassword()
[Fact]
public static void ReadEncryptedDiminishedDP_EmptyPasswordBytes()
{
// [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Unit test key.")]
const string base64 = @"
MIIBgTAbBgkqhkiG9w0BBQMwDgQIJtjMez/9Gg4CAggABIIBYElq9UOOphEPU3b7
G/mV8M1uEdjigidMPih3b9IIJhrjMAEix2IjS+brFL7KRQgucpZZoaFU1utvkUHg
Expand Down
1 change: 1 addition & 0 deletions src/libraries/System.Diagnostics.Process/tests/ProcessStartInfoTests.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -354,6 +354,7 @@ public void TestWorkingDirectoryPropertyInChildProcess()
[ConditionalFact(typeof(RemoteExecutor), nameof(RemoteExecutor.IsSupported)), PlatformSpecific(TestPlatforms.Windows), OuterLoop] // Uses P/Invokes, Requires admin privileges
public void TestUserCredentialsPropertiesOnWindows()
{
// [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Unit test dummy credentials.")]
string username = "test", password = "PassWord123!!";
try
{
Expand Down
1 change: 1 addition & 0 deletions ...oryServices.AccountManagement/src/System/DirectoryServices/AccountManagement/constants.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,7 @@ private PropertyNames() { }

// these two are not publicly exposed properties, but are used internally to track ResetPassword/ExpirePasswordNow
// operations against unpersisted principals, so that they can be performed once the principal has been Saved
// [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Not a password.")]
internal const string PwdInfoPassword = "AuthenticablePrincipal.PasswordInfo.Password";
internal const string PwdInfoExpireImmediately = "AuthenticablePrincipal.PasswordInfo.ExpireImmediately";
}
Expand Down
4 changes: 2 additions & 2 deletions src/libraries/System.DirectoryServices.AccountManagement/tests/PrincipalTest.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,8 @@ public abstract class PrincipalTest : IDisposable

private void RefreshContext()
{
string username = "Administrator";
string password = "Adrumble@6";
// [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Unit test dummy credentials.")]
string username = "Administrator", password = "Adrumble@6";

string OU = "Tests";
string baseDomain = WindowsIdentity.GetCurrent().Name.Split(new char[] { '\\' })[1] + "-TEST";
Expand Down
4 changes: 2 additions & 2 deletions src/libraries/System.DirectoryServices.AccountManagement/tests/UserPrincipalTest.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,8 +31,8 @@ public void UserPrincipalConstructorTest()

public void ComputedUACCheck()
{
string username = "Administrator";
string password = "Adrumble@6";
// [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Unit test dummy credentials.")]
string username = "Administrator", password = "Adrumble@6";
//TODO: don't assume it exists, create it if its not
string OU = "TestNull";
string baseDomain =WindowsIdentity.GetCurrent().Name.Split(new char[] { '\\' })[1] + "-TEST";
Expand Down
5 changes: 5 additions & 0 deletions src/libraries/System.Net.Http.WinHttpHandler/tests/UnitTests/ClientCertificateHelper.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ public class ClientCertificateHelper
private readonly X509Certificate2 _cert_KeyUsageIncludesDigitalSignature_EKUIncludesClientAuth_PrivateKey =
new X509Certificate2(
Convert.FromBase64String(
// [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Dummy certificate for testing.")]
@"MIIKTgIBAzCCCgoGCSqGSIb3DQEHAaCCCfsEggn3MIIJ8zCCBgwGCSqGSIb3DQEHAaCCBf0EggX5
MIIF9TCCBfEGCyqGSIb3DQEMCgECoIIE/jCCBPowHAYKKoZIhvcNAQwBAzAOBAiHDatvDr8QBQIC
B9AEggTYv1r4ckwt7o6f6DCMHlb/zv4t7rPju+PP0PjoJ8kzPfj419aSeyPuE+65YH9WFDqafJed
Expand Down Expand Up @@ -65,6 +66,7 @@ public class ClientCertificateHelper
private readonly X509Certificate2 _cert_KeyUsageMissingDigitalSignature_EKUIncludesClientAuth_PrivateKey =
new X509Certificate2(
Convert.FromBase64String(
// [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Dummy certificate for testing.")]
@"MIIKTgIBAzCCCgoGCSqGSIb3DQEHAaCCCfsEggn3MIIJ8zCCBgwGCSqGSIb3DQEHAaCCBf0EggX5
MIIF9TCCBfEGCyqGSIb3DQEMCgECoIIE/jCCBPowHAYKKoZIhvcNAQwBAzAOBAiSNi65ZF5ZTQIC
B9AEggTYRTivDtzHOWRR+MobtGFEUu6d1PiIlF1Ic84FWvmFCcJShkBmg3cBqDilqtamAkDkga4h
Expand Down Expand Up @@ -117,6 +119,7 @@ public class ClientCertificateHelper
private readonly X509Certificate2 _cert_KeyUsageIncludesDigitalSignature_EKUMissingClientAuth_PrivateKey =
new X509Certificate2(
Convert.FromBase64String(
// [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Dummy certificate for testing.")]
@"MIIKRgIBAzCCCgIGCSqGSIb3DQEHAaCCCfMEggnvMIIJ6zCCBgQGCSqGSIb3DQEHAaCCBfUEggXx
MIIF7TCCBekGCyqGSIb3DQEMCgECoIIE9jCCBPIwHAYKKoZIhvcNAQwBAzAOBAhCUuNQ0RqfZQIC
B9AEggTQHCQRSiCiNI7egTvUaI1Z3tfeLwFWvG7B/za5v9fb97MExoyVQSDmUyUDTlVEcg3gVqJZ
Expand Down Expand Up @@ -169,6 +172,7 @@ public class ClientCertificateHelper
private readonly X509Certificate2 _cert_KeyUsageIncludesDigitalSignature_NoEKU_PrivateKey =
new X509Certificate2(
Convert.FromBase64String(
// [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Dummy certificate for testing.")]
@"MIIKPgIBAzCCCfoGCSqGSIb3DQEHAaCCCesEggnnMIIJ4zCCBgwGCSqGSIb3DQEHAaCCBf0EggX5
MIIF9TCCBfEGCyqGSIb3DQEMCgECoIIE/jCCBPowHAYKKoZIhvcNAQwBAzAOBAijQh1kbOZOYQIC
B9AEggTY+wDp3V31Lh7f8YrsqEsyGZ+GlYvFhLWvDASjisYJi5NlQ0ONbf0KOXHVSvBj3tVyuHm4
Expand Down Expand Up @@ -221,6 +225,7 @@ public class ClientCertificateHelper
private readonly X509Certificate2 _cert_KeyUsageIncludesDigitalSignature_EKUIncludesClientAuth_NoPrivateKey =
new X509Certificate2(
Convert.FromBase64String(
// [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Dummy certificate for testing.")]
@"MIIDFjCCAf6gAwIBAgIQTm8+EF94L4FJ0nBFl5LICzANBgkqhkiG9w0BAQsFADAb
MRkwFwYDVQQDDBB1c2VyQGV4YW1wbGUuY29tMCAXDTE1MTAwNTEwMDMwMFoYDzIx
MTUxMDA1MTAwMzAwWjAbMRkwFwYDVQQDDBB1c2VyQGV4YW1wbGUuY29tMIIBIjAN
Expand Down
3 changes: 2 additions & 1 deletion src/libraries/System.Net.Http/tests/FunctionalTests/SocketsHttpHandlerTest.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -663,6 +663,7 @@ await TestHelper.WhenAllCompletedOrAnyFailed(

[Theory]
[InlineData("Age", "1")]
// [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Unit test dummy authorisation header.")]
[InlineData("Authorization", "Basic YWxhZGRpbjpvcGVuc2VzYW1l")]
[InlineData("Cache-Control", "no-cache")]
[InlineData("Content-Encoding", "gzip")]
Expand Down Expand Up @@ -1519,7 +1520,7 @@ public async Task ProxyAuth_SameConnection_Succeeds()

using (var handler = new HttpClientHandler())
{
handler.Proxy = new UseSpecifiedUriWebProxy(proxyUrl, new NetworkCredential("abc", "def"));
handler.Proxy = new UseSpecifiedUriWebProxy(proxyUrl, new NetworkCredential("abc", "password"));

using (HttpClient client = CreateHttpClient(handler))
{
Expand Down
6 changes: 3 additions & 3 deletions src/libraries/System.Net.Mail/tests/Functional/SmtpClientTest.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -293,7 +293,7 @@ public void TestMailDelivery()
{
using var server = new LoopbackSmtpServer();
using SmtpClient client = server.CreateClient();
client.Credentials = new NetworkCredential("Foo", "Bar");
client.Credentials = new NetworkCredential("foo", "bar");
MailMessage msg = new MailMessage("foo@example.com", "bar@example.com", "hello", "howdydoo");

client.Send(msg);
Expand All @@ -303,8 +303,8 @@ public void TestMailDelivery()
Assert.Equal("hello", server.Message.Subject);
Assert.Equal("howdydoo", server.Message.Body);
Assert.Equal(GetClientDomain(), server.ClientDomain);
Assert.Equal("Foo", server.Username);
Assert.Equal("Bar", server.Password);
Assert.Equal("foo", server.Username);
Assert.Equal("bar", server.Password);
Assert.Equal("LOGIN", server.AuthMethodUsed, StringComparer.OrdinalIgnoreCase);
}

Expand Down
1 change: 1 addition & 0 deletions src/libraries/System.Net.Requests/src/System/Net/FtpControlStream.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -499,6 +499,7 @@ protected override PipelineEntry[] BuildCommandsList(WebRequest req)
if (domainUserName.Length == 0 && password.Length == 0)
{
domainUserName = "anonymous";
// [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Anonymous FTP credential in production code.")]
password = "anonymous@";
}

Expand Down
Loading