Dear Rebex Support,
We executed Fortify Static Code Analyzer to report to client the security risks on code (e.g. Password management issues). Some can be not real risk as long as we explain/justify how the program works, however if there is risk we may implement some control measurements to mitigate the exposure.
Fortify SCA found 12 issues on Rebex Zip, all of them on the category "Password in Configuration File" for Rebex.Zip.xml and Rebex.Common.xml
Here is an example:
<member name="P:Rebex.IO.Compression.ZipArchive.Password">
<summary>
Gets or sets a password. Null reference (Nothing in Visual Basic) means don't encrypt newly added files.
</summary>
<value>Password.</value>
<remarks>If the password is set to a null reference (Nothing in Visual Basic)
the <see cref="E:Rebex.IO.Compression.ZipArchive.PasswordRequired" /> event is fired when extracting encrypted file.</remarks>
<exception cref="T:Rebex.IO.Compression.ZipException">Password cannot be encoded using the current charset.</exception>
</member>
We need your help to advise how is the value "Password." used within the code and how is the overall *.xml file used for.
With your explanation, we hope to assess the level of risk of the 12 issues and take further actions (if required)
Should you need more info, feel free to let me know.
Many thanks in advanced for your help!
Best Regards,
Teresa