False positive from PSAvoidUsingPlainTextForPassword

[KirkMunro]

Right now it appears that the PSAvoidUsingPlainTextForPassword rule generates an error whenever it sees a variable called $Password that is not a SecureString. I have a Reset-DoPxDroplet function with a $Password parameter of type switch (System.Management.Automation.SwitchParameter) to allow me to reset the password on a droplet (VM). There is no use of secure string or string, just switch, so that I can make the appropriate REST API endpoint, yet this rule generates a warning anyway.

If I'm clearly defining the type of my $Password parameter as switch, which I am in this case, then this rule shouldn't even look at how I'm using that parameter. It should only complain if I have $Password that is not strongly typed, or that is of type string.

[raghushantha]

We need to add more heuristics for this rule.

[quoctruong]

Address in #204

[imfrancisd]

I think there are missing parentheses on line 58 and line 59.

if (hasPwd && (!paramType.IsArray && (paramType == typeof(String) || paramType == typeof(object)))
              || (paramType.IsArray && (paramType.GetElementType() == typeof(String) || paramType.GetElementType() == typeof(object))))

If line 59 is true, then the value of hasPwd won't matter.

[quoctruong]

Thanks for the catch Francis. We've fixed this in #226