[3.1] Credscan followup

.config/CredScanSuppressions.json

@@ -0,0 +1,11 @@
+{
+    "tool": "Credential Scanner",
+    "suppressions": [
+        {
+            "_justification": "Certificate for SQL test server.",
+            "file": [
+                "src/System.Data.SqlClient/tests/Tools/TDS/TDS.Servers/TdsServerCertificate.pfx"
+            ]
+        }
+    ]
+}

src/Common/src/Interop/Windows/WinHttp/Interop.winhttp_types.cs

@@ -129,8 +129,10 @@ internal partial class WinHttp
         public const uint WINHTTP_AUTH_TARGET_PROXY = 0x00000001;
 
         public const uint WINHTTP_OPTION_USERNAME = 0x1000;
+        // [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="It is property descriptor, not secret value.")]
         public const uint WINHTTP_OPTION_PASSWORD = 0x1001;
         public const uint WINHTTP_OPTION_PROXY_USERNAME = 0x1002;
+        // [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="It is property descriptor, not secret value.")]
         public const uint WINHTTP_OPTION_PROXY_PASSWORD = 0x1003;
 
         public const uint WINHTTP_OPTION_SERVER_SPN_USED = 106;

src/Common/tests/System/Security/Cryptography/AlgorithmImplementations/EC/ECKeyFileTests.cs

@@ -172,6 +172,7 @@ public void ReadNistP521EncryptedPkcs8_Pbes2_Aes128_Sha384()
         public void ReadNistP521EncryptedPkcs8_Pbes2_Aes128_Sha384_PasswordBytes()
         {
             // PBES2, PBKDF2 (SHA384), AES128
+            // [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Test credentials.")]
             const string base64 = @"
 MIIBXTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQI/JyXWyp/t3kCAggA
 MAwGCCqGSIb3DQIKBQAwHQYJYIZIAWUDBAECBBA3H8mbFK5afB5GzIemCCQkBIIB

src/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/RSAKeyFileTests.cs

@@ -764,6 +764,7 @@ public static void ReadPbes2Rc2EncryptedDiminishedDP()
         public static void ReadPbes2Rc2EncryptedDiminishedDP_PasswordBytes()
         {
             // PBES2: PBKDF2 + RC2-128
+            // [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Test credentials.")]
             const string base64 = @"
 MIIBrjBIBgkqhkiG9w0BBQ0wOzAeBgkqhkiG9w0BBQwwEQQIKZEFT76zCFECAggA
 AgEQMBkGCCqGSIb3DQMCMA0CAToECE1Yyzk6++IPBIIBYDDvaYLkET8eudcYLQMf
@@ -789,6 +790,7 @@ public static void ReadPbes2Rc2EncryptedDiminishedDP_PasswordBytes()
         [Fact]
         public static void ReadEncryptedDiminishedDP_EmptyPassword()
         {
+            // [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Test credentials.")]
             const string base64 = @"
 MIIBgTAbBgkqhkiG9w0BBQMwDgQIJtjMez/9Gg4CAggABIIBYElq9UOOphEPU3b7
 G/mV8M1uEdjigidMPih3b9IIJhrjMAEix2IjS+brFL7KRQgucpZZoaFU1utvkUHg
@@ -813,6 +815,7 @@ public static void ReadEncryptedDiminishedDP_EmptyPassword()
         [Fact]
         public static void ReadEncryptedDiminishedDP_EmptyPasswordBytes()
         {
+            // [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Test credentials.")]
             const string base64 = @"
 MIIBgTAbBgkqhkiG9w0BBQMwDgQIJtjMez/9Gg4CAggABIIBYElq9UOOphEPU3b7
 G/mV8M1uEdjigidMPih3b9IIJhrjMAEix2IjS+brFL7KRQgucpZZoaFU1utvkUHg

src/System.Data.SqlClient/src/System/Data/SqlClient/TdsEnums.cs

@@ -571,6 +571,7 @@ public enum FedAuthLibrary : byte
         // Login data validation Rules
         //
         internal const ushort MAXLEN_HOSTNAME = 128; // the client machine name
+        // [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Not a password.")]
         internal const ushort MAXLEN_USERNAME = 128; // the client user id
         internal const ushort MAXLEN_PASSWORD = 128; // the password supplied by the client
         internal const ushort MAXLEN_APPNAME = 128; // the client application name

src/System.DirectoryServices.AccountManagement/src/System/DirectoryServices/AccountManagement/constants.cs

@@ -96,6 +96,7 @@ private PropertyNames() { }
 
         // these two are not publicly exposed properties, but are used internally to track ResetPassword/ExpirePasswordNow
         // operations against unpersisted principals, so that they can be performed once the principal has been Saved
+        // [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Not a password.")]
         internal const string PwdInfoPassword = "AuthenticablePrincipal.PasswordInfo.Password";
         internal const string PwdInfoExpireImmediately = "AuthenticablePrincipal.PasswordInfo.ExpireImmediately";
     }

src/System.Net.Http/tests/FunctionalTests/HttpClientHandlerTest.cs

@@ -1046,6 +1046,7 @@ await LoopbackServer.CreateClientAndServerAsync(async uri =>
                 $"Accept-Patch:{fold} text/example;charset=utf-8{newline}" +
                 $"Accept-Ranges:{fold} bytes{newline}" +
                 $"Age: {fold}12{newline}" +
+                // [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Test credentials. Authorization header.")]
                 $"Authorization: Bearer 63123a47139a49829bcd8d03005ca9d7{newline}" +
                 $"Allow: {fold}GET, HEAD{newline}" +
                 $"Alt-Svc:{fold} http/1.1=\"http2.example.com:8001\"; ma=7200{newline}" +

src/System.Net.Http/tests/FunctionalTests/SocketsHttpHandlerTest.cs

@@ -677,6 +677,7 @@ await TestHelper.WhenAllCompletedOrAnyFailed(
 
         [Theory]
         [InlineData("Age", "1")]
+        // [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Test credentials. Authorization header.")]
         [InlineData("Authorization", "Basic YWxhZGRpbjpQTEFDRUhPTERFUgo=")]
         [InlineData("Cache-Control", "no-cache")]
         [InlineData("Content-Encoding", "gzip")]

src/System.Net.Requests/src/System/Net/FtpControlStream.cs

@@ -502,6 +502,7 @@ protected override PipelineEntry[] BuildCommandsList(WebRequest req)
                 if (domainUserName.Length == 0 && password.Length == 0)
                 {
                     domainUserName = "anonymous";
+                    // [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Anonymous FTP credential in production code.")]
                     password = "anonymous@";
                 }
 

src/System.Net.Requests/src/System/Net/FtpWebRequest.cs

@@ -223,6 +223,7 @@ public sealed class FtpWebRequest : WebRequest
         private LazyAsyncResult _readAsyncResult;
         private LazyAsyncResult _requestCompleteAsyncResult;
 
+        // [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Anonymous FTP credential in production code.")]
         private static readonly NetworkCredential s_defaultFtpNetworkCredential = new NetworkCredential("anonymous", "anonymous@", string.Empty);
         private const int s_DefaultTimeout = 100000;  // 100 seconds
         private static readonly TimerThread.Queue s_DefaultTimerQueue = TimerThread.GetOrCreateQueue(s_DefaultTimeout);

src/System.Security.Cryptography.Pkcs/tests/Pkcs12/Pkcs12Documents.cs

@@ -137,6 +137,7 @@ internal static class Pkcs12Documents
             "21300906052B0E03021A050004148B12EE39C54B03EF4C1B0C2D8A3A9624D629" +
             "285A0408E398C69C57E4782102020400").HexToByteArray();
 
+        // [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Test credentials.")]
         internal const string OracleWalletPassword = "123Wallet";
     }
 }

src/System.Security.Cryptography.Xml/tests/SignedXmlTest.cs

@@ -658,7 +658,8 @@ public void DigestValue_CRLF()
             }
 
             Assert.Equal("IKbfdK2/DMfXyezCf5QggVCXfk8=", Convert.ToBase64String(digest));
-
+
+            // [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Test credentials. Value change would break test coverage. More info at https://github.com/dotnet/corefx/pull/43052#issuecomment-800481195.")]
             X509Certificate2 cert = new X509Certificate2(_pkcs12, "mono");
             SignedXml signedXml = new SignedXml(doc);
             signedXml.SigningKey = cert.PrivateKey;
@@ -718,6 +719,7 @@ public void DigestValue_LF()
 
             Assert.Equal("e3dsi1xK8FAx1vsug7J203JbEAU=", Convert.ToBase64String(digest));
 
+            // [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Test credentials. Value change would break test coverage. More info at https://github.com/dotnet/corefx/pull/43052#issuecomment-800481195.")]
             X509Certificate2 cert = new X509Certificate2(_pkcs12, "mono");
             SignedXml signedXml = new SignedXml(doc);
             signedXml.SigningKey = cert.PrivateKey;
@@ -760,6 +762,7 @@ public void DigestValue_LF()
         [Fact]
         public void SignedXML_CRLF_Invalid()
         {
+            // [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Test credentials. Value change would break test coverage. More info at https://github.com/dotnet/corefx/pull/43052#issuecomment-800481195.")]
             X509Certificate2 cert = new X509Certificate2(_pkcs12, "mono");
 
             XmlDocument doc = new XmlDocument();
@@ -823,6 +826,7 @@ public void SignedXML_CRLF_Invalid()
         [Fact]
         public void SignedXML_CRLF_Valid()
         {
+            // [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Test credentials. Value change would break test coverage. More info at https://github.com/dotnet/corefx/pull/43052#issuecomment-800481195.")]
             X509Certificate2 cert = new X509Certificate2(_pkcs12, "mono");
 
             XmlDocument doc = CreateSignedXml(cert, SignedXml.XmlDsigExcC14NTransformUrl, "\r\n");
@@ -880,6 +884,7 @@ public void SignedXML_CRLF_Valid()
         [Fact]
         public void SignedXML_LF_Valid()
         {
+            // [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Test credentials. Value change would break test coverage. More info at https://github.com/dotnet/corefx/pull/43052#issuecomment-800481195.")]
             X509Certificate2 cert = new X509Certificate2(_pkcs12, "mono");
 
             XmlDocument doc = CreateSignedXml(cert, SignedXml.XmlDsigExcC14NTransformUrl, "\n");
@@ -938,6 +943,7 @@ public void SignedXML_LF_Valid()
         public void MultipleX509Certificates()
         {
             XmlDocument doc = null;
+            // [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Test credentials. Value change would break test coverage. More info at https://github.com/dotnet/corefx/pull/43052#issuecomment-800481195.")]
             X509Certificate2 cert = new X509Certificate2(_pkcs12, "mono");
 
             doc = CreateSignedXml(cert, SignedXml.XmlDsigExcC14NTransformUrl, "\n");

src/System.Security.Cryptography.Xml/tests/TestHelpers.cs

@@ -190,6 +190,7 @@ public static IEnumerable<SymmetricAlgorithmFactory> GetSymmetricAlgorithms(bool
 
         public static X509Certificate2 GetSampleX509Certificate()
         {
+            // [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Test credentials. Value change would break test coverage. More info at https://github.com/dotnet/corefx/pull/43052#issuecomment-800481195.")]
             return new X509Certificate2(SamplePfx, "mono");
         }