Why does Veracode flag the following FIPS compliant C#?
var cipher = new AesCng()
{
BlockSize = 128,
KeySize = 256,
Mode = CipherMode.CBC,
Padding = PaddingMode.PKCS7
};
Hi: current Veracode scans likely wouldn't flag CWE 326 on a use of AES with a key size of 256. If this was a recent scan, could you please reach out to Veracode Support so we can take a closer look to find out why this was flagged?
If this was a result from an older scan, you may want to try rescanning the application to see if the issue is still flagged.