For hashing algorithms, several rules exist, in particular these two:
- A security-hotspot: https://jira.sonarsource.com/browse/RSPEC-4790
- That supersedes this vulnerability: https://jira.sonarsource.com/browse/RSPEC-2070
It's not possible to maintain two rules on exactly the same subject, for us and the end users, so:
- S2070 will be deprecated
- the content/implementation of S2070 is more relevant than S4790 because S4790 raises everywhere a hash function is used (even when secure hash function, like SHA-256 is used) and S2070 raises only when a weak hash function is used (like MD5)
- so the content/implementation of S2070 should "be moved" to S4790 (the key of the rule should be updated in SonarJava), because the type of issue (hotspot) is more relevant
- contributes to
-
MMF-2044 Java analyzer detects broken authentication and access control
-
- Closed
-
- depends upon
-
SONARJAVA-3388 Rule S2070 should support "org.springframework.util.DigestUtils"
-
- Closed
-
- implements
-
RSPEC-4790 Using weak hashing algorithms is security-sensitive
- Active