From d27be3db47e314aedc7eb4d41f9187cf93d948d6 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 6 May 2026 18:45:22 +0000 Subject: [PATCH 1/3] Initial plan From 658e827917a2a4bfc2b19dd5049c25e4494503ae Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 6 May 2026 18:56:52 +0000 Subject: [PATCH 2/3] Fix DS440010 XML substring false positive and add negative self-test Agent-Logs-Url: https://github.com/microsoft/DevSkim/sessions/7520ac06-fa3a-479a-970b-eb806c2620e8 Co-authored-by: gfs <98900+gfs@users.noreply.github.com> --- Changelog.md | 6 +++++- rules/default/security/cryptography/hardcoded_tls.json | 5 ++++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/Changelog.md b/Changelog.md index e6be5c9a..06598a68 100644 --- a/Changelog.md +++ b/Changelog.md @@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [1.0.82] - 2026-05-06 +### Fix +- Narrowed DES weak-cipher detection rule DS106863 to require standalone `DES` token matching, avoiding false positives when `DES` only appears as a substring in larger XML identifiers. +- Added a negative built-in self-test case for XML identifier `SCPDES_ANNO_SHAPE_1` to prevent regressions. + ## [1.0.81] - 2026-04-16 ### Pipeline - Updates to fix release pipeline for VSCode extension. @@ -440,4 +445,3 @@ New: `devskim analyze -I path/to/src -O path/to/out.sarif` ### Fixes - Rule improvements and DevSkim engine performance and reliablity improvements. - diff --git a/rules/default/security/cryptography/hardcoded_tls.json b/rules/default/security/cryptography/hardcoded_tls.json index 938a870f..0ed273cf 100644 --- a/rules/default/security/cryptography/hardcoded_tls.json +++ b/rules/default/security/cryptography/hardcoded_tls.json @@ -78,6 +78,9 @@ "severity": "important", "_comment": "Applies to all languages since many just wrap OpenSSL constructs.", "rule_info": "DS440000.md", + "must-not-match": [ + "" + ], "patterns": [ { "pattern": "SSLv2?3_method|D?TLSv1_([123]_)?(client_|server_)?method", @@ -127,7 +130,7 @@ "_comment": "OpenSSL extension / options" }, { - "pattern": "(AES|DH|DHE|ADH|CAMELLIA|EDH|EXP|DES|IDEA|RC4|NULL|GOST|EXP|ECDH|ECDHE|AECDH|PSK|SSL|RSA|TLS)_?([A-Z0-9]+_)+((SHA[0-9]*)|(MD5)|(GOST)[[A-Z0-9\\-]*)", + "pattern": "(? Date: Wed, 6 May 2026 18:57:32 +0000 Subject: [PATCH 3/3] Fix changelog rule ID reference for DS440010 update Agent-Logs-Url: https://github.com/microsoft/DevSkim/sessions/7520ac06-fa3a-479a-970b-eb806c2620e8 Co-authored-by: gfs <98900+gfs@users.noreply.github.com> --- Changelog.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Changelog.md b/Changelog.md index 06598a68..416b26fe 100644 --- a/Changelog.md +++ b/Changelog.md @@ -6,7 +6,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [1.0.82] - 2026-05-06 ### Fix -- Narrowed DES weak-cipher detection rule DS106863 to require standalone `DES` token matching, avoiding false positives when `DES` only appears as a substring in larger XML identifiers. +- Narrowed OpenSSL hardcoded TLS detection rule DS440010 to require standalone token matching, avoiding false positives when `DES` only appears as a substring in larger XML identifiers. - Added a negative built-in self-test case for XML identifier `SCPDES_ANNO_SHAPE_1` to prevent regressions. ## [1.0.81] - 2026-04-16