We use cookies to give you the best experience on our website. If you continue to browse, then you agree to our privacy policy and cookie policy.
We have developed a solution which failing during security scan.
Summary
Empty encryption keys can compromise security in a way that cannot be easily remedied.
Explanation
It is never a good idea to use an empty encryption key because it significantly reduces the protection afforded by a good encryption algorithm, and it also makes fixing the problem extremely difficult. After the offending code is in production, the empty encryption key cannot be changed without patching the software. If an account that is protected by the empty encryption key is compromised, the owners of the system must choose between security and availability.
In this case, the empty encryption key is located at in main.js on line 37237.
Example 1: The following code performs AES encryption using an empty encryption key:
...
var crypto = require('crypto');
var encryptionKey = "";
var algorithm = 'aes-256-ctr';
var cipher = crypto.createCipher(algorithm, encryptionKey);
Error which we get in the code is for below method in Data Manager.....
/**
* Query class is used to build query which is used by the DataManager to communicate with datasource.
*/
var Query = /** @__PURE__ @class */function () {
/**
* Constructor for Query class.
* @param {string|string[]} from?
* @hidden
*/
function Query(from) {
/** @hidden */
this.subQuery = null;
/** @hidden */
this.isChild = false;
/** @hidden */
this.distincts = [];
this.queries = [];
this.key = '';
this.fKey = '';
if (typeof from === 'string') {
this.fromTable = from;
} else if (from && from instanceof Array) {
this.lookups = from;
}
this.expands = [];
this.sortedColumns = [];
this.groupedColumns = [];
this.subQuery = null;
this.isChild = false;
this.params = [];
this.lazyLoad = [];
return this;
}
Hi Parth Rawal,
Greetings from Syncfusion.
Before proceeding with this query, we need some more additional details to find the cause of the issue. Share us the following details.
Regards,
Farveen sulthana T
Getting Error in fortify scan when uploading angular build.
Error: Empty encryption keys can compromise security in a way that cannot be easily remedied.
Could not find exact package. but i can share error line and its parent function or class.
Error 1
--
/**
* Query class is used to build query which is used by the DataManager to communicate with datasource.
*/
var Query = /** @__PURE__ @class */function () {
/**
* Constructor for Query class.
* @param {string|string[]} from?
* @hidden
*/
function Query(from) {
this.key = ''; // error line
}
}
Error 2
--
/**
* The `Search` module is used to handle search action.
*/
var Search = /** @__PURE__ @class */function () {
/**
* Constructor for Grid search module.
*
* @param {IGrid} parent - specifies the IGrid
* @hidden
*/
function Search(parent) {
this.parent = parent;
this.addEventListener();
}
/**
* Searches Grid records by given key.
*
* > You can customize the default search action by using [`searchSettings`](grid/#searchsettings/).
*
* @param {string} searchString - Defines the key.
* @returns {void}
*/
/**
* The function used to store the requestType
*
* @param {NotifyArgs} e - specifies the NotifyArgs
* @returns {void}
* @hidden
*/
Search.prototype.cancelBeginEvent = function (e) {
if (e.requestType === 'searching') {
this.parent.setProperties({
searchSettings: {
key: '' // error line
}
}, true);
}
};
Error 3
--
/**
* Represents the Grid component.
* ```html
* <div id="grid"></div>
* <script>
* var gridObj = new Grid({ allowPaging: true });
* gridObj.appendTo("#grid");
* </script>
* ```
*/
var Grid = /** @__PURE__ @class */function (_super) {
__extends$1(Grid, _super);
/**
* Constructor for creating the component
*
* @param {GridModel} options - specifies the options
* @param {string | HTMLElement} element - specifies the element
* @hidden
*/
function Grid(options, element) {
var _this = _super.call(this, options, element) || this;
}
/**
* @hidden
* @returns {void}
*/
Grid.prototype.clearGridActions = function () {
this.setProperties({
searchSettings: {
key: '' // error line
}
}, true);
}
}
Hi PDev,
The Fortify will consider even a variable named “key” as a hardcoded encryption key. In the shared code, the “key” is provided as a variable only not an encryption key. Please refer to the below reference link for more information.
https://stackoverflow.com/questions/58302910/key-management-hardcoded-encryption-key-for-chart-js
Regards,
Pavithra S
