We use cookies to give you the best experience on our website. If you continue to browse, then you agree to our privacy policy and cookie policy. Image for the cookie policy date

Syncfusion Package failing Security Vulnerability scan

We have developed a solution which failing during security scan. 


Summary

Empty encryption keys can compromise security in a way that cannot be easily remedied.

Explanation

It is never a good idea to use an empty encryption key because it significantly reduces the protection afforded by a good encryption algorithm, and it also makes fixing the problem extremely difficult. After the offending code is in production, the empty encryption key cannot be changed without patching the software. If an account that is protected by the empty encryption key is compromised, the owners of the system must choose between security and availability.


In this case, the empty encryption key is located at in main.js on line 37237.

Example 1: The following code performs AES encryption using an empty encryption key:


...
var crypto = require('crypto');
var encryptionKey = "";
var algorithm = 'aes-256-ctr';
var cipher = crypto.createCipher(algorithm, encryptionKey);


Error which we get in the code is for below method in Data Manager.....

/**

* Query class is used to build query which is used by the DataManager to communicate with datasource.

*/

var Query = /** @__PURE__ @class */function () {

  /**

   * Constructor for Query class.

   * @param  {string|string[]} from?

   * @hidden

   */

  function Query(from) {

    /** @hidden */

    this.subQuery = null;

    /** @hidden */

    this.isChild = false;

    /** @hidden */

    this.distincts = [];

    this.queries = [];

    this.key = '';

    this.fKey = '';

    if (typeof from === 'string') {

      this.fromTable = from;

    } else if (from && from instanceof Array) {

      this.lookups = from;

    }

    this.expands = [];

    this.sortedColumns = [];

    this.groupedColumns = [];

    this.subQuery = null;

    this.isChild = false;

    this.params = [];

    this.lazyLoad = [];

    return this;

  }


3 Replies 1 reply marked as answer

FS Farveen Sulthana Thameeztheen Basha Syncfusion Team May 1, 2023 08:13 AM UTC

Hi Parth Rawal,


Greetings from Syncfusion.


Before proceeding with this query, we need some more additional details to find the cause of the issue. Share us the following details.


  1. In which component you have faced the reported Vulnerability issue. (Share us exact file details)
  2. Detailed Explanation of the issue you have faced.
  3. Video Demo to replicate the problem.
  4. Share us the replication steps.


Regards,

Farveen sulthana T



PD PDev May 10, 2023 06:45 AM UTC

Getting Error in fortify scan when uploading angular build.

Error: Empty encryption keys can compromise security in a way that cannot be easily remedied.

https://vulncat.fortify.com/en/detail?id=desc.semantic.java.key_management_empty_encryption_key#JavaScript%2FTypeScript

Error comes in angular build main.js file.

Could not find exact package. but i can share error  line and its parent function or class.

Error 1

--

/**

* Query class is used to build query which is used by the DataManager to communicate with datasource.

*/

var Query = /** @__PURE__ @class */function () {

  /**

   * Constructor for Query class.

   * @param  {string|string[]} from?

   * @hidden

   */

  function Query(from) {

    this.key = ''; // error line

  }

}

Error 2

--

/**

* The `Search` module is used to handle search action.

*/

var Search = /** @__PURE__ @class */function () {

  /**

   * Constructor for Grid search module.

   *

   * @param {IGrid} parent - specifies the IGrid

   * @hidden

   */

  function Search(parent) {

    this.parent = parent;

    this.addEventListener();

  }

  /**

   * Searches Grid records by given key.

   *

   * > You can customize the default search action by using [`searchSettings`](grid/#searchsettings/).

   *

   * @param  {string} searchString - Defines the key.

   * @returns {void}

   */

/**

   * The function used to store the requestType

   *

   * @param {NotifyArgs} e - specifies the NotifyArgs

   * @returns {void}

   * @hidden

   */

Search.prototype.cancelBeginEvent = function (e) {

    if (e.requestType === 'searching') {

      this.parent.setProperties({

        searchSettings: {

          key: '' // error line

        }

      }, true);

    }

  };

Error 3

--

/**

* Represents the Grid component.

* ```html

* <div id="grid"></div>

* <script>

*  var gridObj = new Grid({ allowPaging: true });

*  gridObj.appendTo("#grid");

* </script>

* ```

*/

var Grid = /** @__PURE__ @class */function (_super) {

  __extends$1(Grid, _super);

  /**

   * Constructor for creating the component

   *

   * @param {GridModel} options - specifies the options

   * @param {string | HTMLElement} element - specifies the element

   * @hidden

   */

  function Grid(options, element) {

    var _this = _super.call(this, options, element) || this;

                }

/**

   * @hidden

   * @returns {void}

   */

  Grid.prototype.clearGridActions = function () {

    this.setProperties({

      searchSettings: {

        key: ''  // error line

      }

    }, true);

  }

}



PS Pavithra Subramaniyam Syncfusion Team May 15, 2023 10:43 AM UTC

Hi PDev,


The Fortify will consider even a variable named “key” as a hardcoded encryption key. In the shared code, the “key” is provided as a variable only not an encryption key. Please refer to the below reference link for more information.


https://stackoverflow.com/questions/56897249/fortify-complaints-hardcoded-encryption-key-mozila-pdf-js

https://stackoverflow.com/questions/58302910/key-management-hardcoded-encryption-key-for-chart-js


Regards,

Pavithra S


Marked as answer
Loader.
Live Chat Icon For mobile
Up arrow icon