From 94598a46ae59ca75413fb09f6f9cc34967c02d08 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 4 Feb 2026 23:11:47 +0000 Subject: [PATCH 1/5] Initial plan From 791e7a963bca08453a554868f660a33416f89843 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 4 Feb 2026 23:17:37 +0000 Subject: [PATCH 2/5] Fix DS126858 false positive for --nomd5 flag Co-authored-by: gfs <98900+gfs@users.noreply.github.com> --- .gitignore | 1 + .../security/cryptography/hash_algorithm.json | 15 +++++++++------ 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/.gitignore b/.gitignore index 74920eab..4f04ca05 100644 --- a/.gitignore +++ b/.gitignore @@ -297,3 +297,4 @@ asa.sqlite *asa.log.txt *.sqlite *.litedb +DevSkim-DotNet/nuget.config diff --git a/rules/default/security/cryptography/hash_algorithm.json b/rules/default/security/cryptography/hash_algorithm.json index 6b98d740..085884b6 100644 --- a/rules/default/security/cryptography/hash_algorithm.json +++ b/rules/default/security/cryptography/hash_algorithm.json @@ -13,7 +13,7 @@ "rule_info": "DS126858.md", "patterns": [ { - "pattern": "(MD2|MD4|MD5|RIPEMD|RIPEMD(128|256|160|320)|(SHA0|SHA-0|SHA1|SHA-1))", + "pattern": "(? Date: Wed, 4 Feb 2026 23:19:36 +0000 Subject: [PATCH 3/5] Add word boundaries to negative lookbehind patterns Co-authored-by: gfs <98900+gfs@users.noreply.github.com> --- .../default/security/cryptography/hash_algorithm.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/default/security/cryptography/hash_algorithm.json b/rules/default/security/cryptography/hash_algorithm.json index 085884b6..abd6871c 100644 --- a/rules/default/security/cryptography/hash_algorithm.json +++ b/rules/default/security/cryptography/hash_algorithm.json @@ -13,7 +13,7 @@ "rule_info": "DS126858.md", "patterns": [ { - "pattern": "(? Date: Thu, 12 Feb 2026 21:03:53 +0000 Subject: [PATCH 4/5] Revert .gitignore change for DevSkim-DotNet/nuget.config Co-authored-by: gfs <98900+gfs@users.noreply.github.com> --- .gitignore | 1 - 1 file changed, 1 deletion(-) diff --git a/.gitignore b/.gitignore index 4f04ca05..74920eab 100644 --- a/.gitignore +++ b/.gitignore @@ -297,4 +297,3 @@ asa.sqlite *asa.log.txt *.sqlite *.litedb -DevSkim-DotNet/nuget.config From c19e2a376327c099d4c863598429f30e737bf26f Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 12 Feb 2026 21:22:51 +0000 Subject: [PATCH 5/5] Add changelog entry for DS126858 false positive fix Co-authored-by: gfs <98900+gfs@users.noreply.github.com> --- Changelog.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Changelog.md b/Changelog.md index 7388dbc2..0a3d615b 100644 --- a/Changelog.md +++ b/Changelog.md @@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [1.0.72] - 2026-02-12 +### Fix +- Fixed DS126858 rule (Weak/Broken Hash Algorithm) false positive when MD5 is explicitly disabled via flags like `--nomd5`, `nomd5`, `no-md5`, `no_md5`, or `disable_md5_check` + ## [1.0.71] - 2026-02-03 ### Fix - Fixed invalid JSON in package.json (trailing comma in scripts section) that caused npm parse errors in Azure DevOps pipeline