We are using ColsedXml.dll In our application. We are mandated by our organization to scan our code in Veracode Site for security scan. While running the scan we got __"Cross site scripting flaws in ColsedXml.dll"__
Please advise to fix/overcome these flaws.
__Issues Details:
Cross-Site Scripting - Insufficient Entropy (CWE ID 331) - Cryptographic Issues
Module: ClosedXML.dll (Product Version 0.69.1.0)__
1) In closedxml_dll.
File name : ClosedXML.Excel.CalcEngine.MathTrig
Method Name : RandBetween
2) In closedxml_dll.
File name : ClosedXML.Excel.CalcEngine.MathTrig
Method Name : Rand
Comments: I am not sure how I feel about this. ClosedXML is not a crypto service by any means, we are not using random numbers for any anything secure. According to this page http://www.dotnetperls.com/rngcryptoserviceprovider the crypto service is WAY slower then just random. I don't think we should change our code. Ultimately these security scans should not trump everything, any review by a decent developer and you can clearly see this is not an issue. Even the screen shot says it is unlikely to be exploited. I think if you are using ClosedXML's random function in a cryptographic algorithm you have way bigger problems.
Please advise to fix/overcome these flaws.
__Issues Details:
Cross-Site Scripting - Insufficient Entropy (CWE ID 331) - Cryptographic Issues
Module: ClosedXML.dll (Product Version 0.69.1.0)__
1) In closedxml_dll.
File name : ClosedXML.Excel.CalcEngine.MathTrig
Method Name : RandBetween
2) In closedxml_dll.
File name : ClosedXML.Excel.CalcEngine.MathTrig
Method Name : Rand
Comments: I am not sure how I feel about this. ClosedXML is not a crypto service by any means, we are not using random numbers for any anything secure. According to this page http://www.dotnetperls.com/rngcryptoserviceprovider the crypto service is WAY slower then just random. I don't think we should change our code. Ultimately these security scans should not trump everything, any review by a decent developer and you can clearly see this is not an issue. Even the screen shot says it is unlikely to be exploited. I think if you are using ClosedXML's random function in a cryptographic algorithm you have way bigger problems.