Share via

Veracode scan issues on reportviewer dll files

CHRISTOPHER NATHAN HENDRIS 0 Reputation points
2025-09-16T01:36:39.6166667+00:00

I have some Veracode scan issues for the following .dll files:

  1. microsoft.reportviewer.common.dll
  • CWE ID 331 - Standard random number generators do not provide a sufficient amount of entropy when used for security purposes. Attackers can brute force the output of pseudorandom number generators such as rand(). Found instances: void ResetExpansionOrNotificationInterval()
  • CWE ID 327 - The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the disclosure of sensitive information. Found instances: byte[] CreateHashForCachedDataSets() and System.Security.Cryptography.MD5 get_Md5Hasher()

2.microsoft.reportviewer.webforms.dll

  • CWE ID 80 - This call contains a cross-site scripting (XSS) flaw. The application populates the HTTP response with untrusted input. allowing an attacker to embed malicious content, such as Javascript code, which will be executed in the context of the victim's browser. Found instances: void Render(System.Web.UI.HtmlTextWriter)

3.microsoft.reportviewer.winforms.dll

  • CWE ID 377 - Creating and using insecure temporary files can leave application and system data vulnerable to attack. Found instances: void !ctor()

Is it possible for the developers of the mentioned .dll files to fix these Veracode issues on the next release?

Thank you

SQL Server Reporting Services
SQL Server Reporting Services
A SQL Server technology that supports the creation, management, and delivery of both traditional, paper-oriented reports and interactive, web-based reports.
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Venkata Ramanamma Uppu (Quadrant Technologies LLC) 0 Reputation points Microsoft External Staff
    2025-10-31T11:41:51.0533333+00:00

    Hi CHRISTOPHER NATHAN HENDRIS,

    Thank you for reaching out to Q&A Forum.

    These Veracode findings come from Microsoft ReportViewer DLLs (not SQL Server itself). They are low-risk or false positives since MD5, Random, and HTML rendering are used internally for caching and report output, not for security-critical functions. You can’t modify these Microsoft-signed libraries yourself. Make sure you’re using the latest ReportViewer NuGet packages:

    Microsoft.ReportingServices.ReportViewerControl.WebForms

    Microsoft.ReportingServices.ReportViewerControl.WinForms

    If the issues persist, mark them as “Third-Party / Informational” in Veracode.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.