Fortify complaints "Hardcoded Encryption Key" mozila pdf.js

Question

In my project we are using pdf.js from Mozilla, Now the fortify scan complaints about "Hardcoded Encryption Key" .See the below image

Please provide some help on this.Using version 2 of pdf.js

Answer 1

Fortify has used semantic analyzer which did a grep for the word "key". So this accounts that the value which in this case is key is a variable name. Fortify identified the word, 'key' as encryption key. So you can make this case to a false positive.

The semantic analyzer of fortify is very notorious for false positives. If you want a more automated solution, Fortify is not the right tool.

Answer 2

I have also faced this issue. Whenever fortify scans the application, it looks for some specific fields like "key" or "password" and its analyzer will start complaining with "Hardcoded Encryption Key" or "Password Management: Hardcoded Password".

Refer the below link for more information.