Narrow DS440010 XML token matching to avoid substring false positives in identifiers

Changelog.md

@@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.0.82] - 2026-05-06
+### Fix
+- Narrowed OpenSSL hardcoded TLS detection rule DS440010 to require standalone token matching, avoiding false positives when `DES` only appears as a substring in larger XML identifiers.
+- Added a negative built-in self-test case for XML identifier `SCPDES_ANNO_SHAPE_1` to prevent regressions.
+
 ## [1.0.81] - 2026-04-16
 ### Pipeline
 - Updates to fix release pipeline for VSCode extension.
@@ -440,4 +445,3 @@ New: `devskim analyze -I path/to/src -O path/to/out.sarif`
 
 ### Fixes
 - Rule improvements and DevSkim engine performance and reliablity improvements.
-

rules/default/security/cryptography/hardcoded_tls.json

@@ -78,6 +78,9 @@
         "severity": "important",
         "_comment": "Applies to all languages since many just wrap OpenSSL constructs.",
         "rule_info": "DS440000.md",
+        "must-not-match": [
+            "<Cipher Name=\"SCPDES_ANNO_SHAPE_1\" />"
+        ],
         "patterns": [
             {
                 "pattern": "SSLv2?3_method|D?TLSv1_([123]_)?(client_|server_)?method",
@@ -127,7 +130,7 @@
                 "_comment": "OpenSSL extension / options"
             },
             {
-                "pattern": "(AES|DH|DHE|ADH|CAMELLIA|EDH|EXP|DES|IDEA|RC4|NULL|GOST|EXP|ECDH|ECDHE|AECDH|PSK|SSL|RSA|TLS)_?([A-Z0-9]+_)+((SHA[0-9]*)|(MD5)|(GOST)[[A-Z0-9\\-]*)",
+                "pattern": "(?<![A-Z0-9_])(AES|DH|DHE|ADH|CAMELLIA|EDH|EXP|DES|IDEA|RC4|NULL|GOST|EXP|ECDH|ECDHE|AECDH|PSK|SSL|RSA|TLS)_?([A-Z0-9]+_)+((SHA[0-9]*)|(MD5)|(GOST)[[A-Z0-9\\-]*)(?![A-Z0-9_])",
                 "type": "regex",
                 "scopes": [
                     "code"