Environment (please complete the following information):

• Version: 5.1.0
• Branch: SecurityCodeScan 2019
• Microsoft Visual Studio Enterprise 2019 Preview Version 16.10.0 Preview 1.0
• OS: Windows

Describe the bug
I am receiving a false positive SCS0015: Hardcoded value in 'byte[] SymmetricAlgorithm.Key'.

Repro

            using (Aes aes = Aes.Create())
            {
                byte[] key = _ecdh.DeriveKeyFromHash(publicKey, hashAlgorithm, encryptedData.Nonce, fixedInfo);
                try
                {
                    aes.IV = encryptedData.IV;
                    aes.Key = key; // SCS0015: Hardcoded value in byte[] SymmetricAlgorithm.Key
                    ...

Where:

• _ecdh is an instance of ECDiffieHellman
• publicKey is an ECDiffieHellmanPublicKey instance
• hashAlgorithm is HashAlgorithmName.SHA256
• encryptedData.Nonce is a byte[] property on a DTO class
• encryptedData.IV is a byte[] property on a DTO class
• fixedInfo is a byte[]? parameter to the decrypt method

I've tried recreating this in a standalone project but cannot get SCS0015 to fire on that line, so I'm not quite sure which of the arguments to DeriveKeyFromHash is causing it to fail yet.