Assess security risk detected on source code - Rebex.Zip.xml and Rebex.Common.xml

0 votes
asked Dec 7, 2021 by ngtere (150 points)

Dear Rebex Support,

We executed Fortify Static Code Analyzer to report to client the security risks on code (e.g. Password management issues). Some can be not real risk as long as we explain/justify how the program works, however if there is risk we may implement some control measurements to mitigate the exposure.

Fortify SCA found 12 issues on Rebex Zip, all of them on the category "Password in Configuration File" for Rebex.Zip.xml and Rebex.Common.xml

Here is an example:

<member name="P:Rebex.IO.Compression.ZipArchive.Password">
  <summary>
        Gets or sets a password. Null reference (Nothing in Visual Basic) means don't encrypt newly added files.
        </summary>
  <value>Password.</value>
  <remarks>If the password is set to a null reference (Nothing in Visual Basic) 
        the <see cref="E:Rebex.IO.Compression.ZipArchive.PasswordRequired" /> event is fired when extracting encrypted file.</remarks>
  <exception cref="T:Rebex.IO.Compression.ZipException">Password cannot be encoded using the current charset.</exception>
</member>

We need your help to advise how is the value "Password." used within the code and how is the overall *.xml file used for.

With your explanation, we hope to assess the level of risk of the 12 issues and take further actions (if required)

Should you need more info, feel free to let me know.

Many thanks in advanced for your help!

Best Regards,
Teresa

1 Answer

0 votes
answered Dec 7, 2021 by Lukas Pokorny (128,250 points)
selected Dec 8, 2021 by ngtere
 
Best answer

Hello, you are actually running a code analyzer on documentation files.

Rebex.Zip.xml and Rebex.Common.xml are API documentation files in machine-readable format specified by .NET Framework. They are generated by the C# compiler, and are used by Visual Studio and other tools to provide IntelliSense code-completion aid, or to generate a human-readable documentation.

Those XML documentation files are not configuration files, and they are not code either. They are not needed (or used) by Rebex DLL files at all, and they are actually not even supposed to be redistributed with your application (unlike the DLLs). If these XML files bother you, you can simply delete them from your installation - you won't lose any Rebex functionality (just IntelliSense in Visual Studio and other IDEs will stop working).

The <value>Password.</value> simply indicates that the Rebex.IO.Compression.ZipArchive.Password property field value actually represents a password. See this API doc entry for API documentation generated from the .XML file for Rebex.IO.Compression.ZipArchive.Password property.

commented Dec 8, 2021 by ngtere (150 points)
Thank you Lukas! very clear answer
...