Snyk Code: June Update

We're expanding Snyk Code analysis for the .NET (C# and VB) ecosystem with broader detection across TLS configuration, cryptographic algorithms, and third-party crypto libraries. We built these improvements to surface a wider range of crypto-related security issues in .NET codebases while keeping false positives in check. Coverage extends across the standard library and the most common third-party crypto packages, so customers using BouncyCastle see the same depth of detection as native .NET code.

We're also expanding PHP coverage for SQL injection, Snyk Code now detects interfile taint flow when the SQL sink is wrapped in a database-access class. These improvements arrive with the June release on 15 June 2026.

What's changing

New TLS vulnerability detection for .NET (CWE-326)

Snyk Code now identifies insecure TLS protocol configuration across the most common .NET HTTP and network stacks: ServicePointManager, HttpClientHandler, WinHttpHandler, SocketsHttpHandler, Kestrel, and SslStream. Only TLS 1.2 and 1.3 are considered safe. Earlier protocols are flagged as vulnerable, including bitwise flag combinations.

Broader Insecure Cipher coverage for .NET (CWE-327)

Generalised cipher detection for C# and VB, with new third-party support via BouncyCastle. Algorithms now flagged: PAKE, Triple DES, DES, Skipjack, RC4, RC2, MD-5, and SHA-1.

Expanded weak-key-size detection for .NET (CWE-326)

Native standard-library coverage added for ECDHE, ECDH, ECDSA, RSA, AES (GCM), and HMAC-SHA1, HMAC-SHA2, and HMAC-SHA3 across Base, Windows, and Linux .NET types. Third-party support was added for DH, DHE (BouncyCastle), AES-XTS (BouncyCastle), and CMAC-AES (BouncyCastle).

Generalised crypto rule templates for .NET (CWE-326, CWE-327)

The InsecureCipher, TooSmallKeySize, and WeakEccCurve rules have been refactored into unified report templates.

PHP SQL injection interfile taint flow through wrapper classes (CWE-89)

Snyk Code now detects SQL injection where the sink is defined in a wrapper class (single level: caller → wrapper → mysql_query)

Important details to note

• You may notice an increase in .NET vulnerability findings after the June release, particularly around TLS misconfiguration and weak cryptographic algorithms.

• RC2 is reclassified from TooSmallKeySize to InsecureCipher. Customers with ignores or policies tied to specific rule keys should be aware (Scope is .NET (C# and VB) only).

• A small number of CryptoServiceProviders false positives related to read-only KeySize properties will no longer fire. These were never actionable in the first place (Scope is .NET (C# and VB) only).

• PHP customers may see new SQL injection findings after the June release, particularly in codebases that route database calls through wrapper classes.

To learn more, visit our Snyk User Documentation.