CWE ID 327:

Brent Putman putmanb at
Fri Sep 16 00:28:49 UTC 2022

On 9/15/22 4:52 PM, Jeremy Karlson wrote:
> I took a look at the report again, trying to see if there was any 
> more detail in regards to why it flagged that line. Nothing, 
> unfortunately.

Bummer.  If the report can't provide more detail, then the only other 
thing I can think of is: Is there somewhere a list of the crypto 
algorithms that Veracode considers weak and that would trigger the CWE 
ID 327?  If so, then we could probably cross-reference to the list of 
EC named curves we support by default and see if there is an intersection.

> I assume this code is used when there is some sort of negotiation 
> between systems? (I don’t know much about SAML here.) Assuming that’s 
> the case, I think there is really nothing much to do here.

Well, if my speculation is correct, this seems to be flagging on the 
fundamental creation of EC key pairs with a particular named curve.  So 
it's really about the underlying parameters/characteristics of the EC 
keys themselves.

Beyond that, EC keys are then used with the fundamental crypto 
operations of signing (ECDSA) and encryption (ECDH) over SAML protocol 
messages and/or data within them.  I wouldn't characterize those as 
"negotiation" between systems, because there isn't a back-and-forth 
kind of exchange, it's one-sided really (unlike say TLS).  But these 
fundamental crypto ops are used to secure the messages and data 
exchanged between SAML entities, which for standard Web SSO use cases 
is primarily Identity Providers and Service Providers.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list