[SONARJAVA-3414] Rule S4790: its content should be replaced by S2070 - SonarSource

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 6.9
Component/s: Rules
Labels:
None

Description

For hashing algorithms, several rules exist, in particular these two:

A security-hotspot: https://jira.sonarsource.com/browse/RSPEC-4790
That supersedes this vulnerability: https://jira.sonarsource.com/browse/RSPEC-2070

It's not possible to maintain two rules on exactly the same subject, for us and the end users, so:

S2070 will be deprecated
the content/implementation of S2070 is more relevant than S4790 because S4790 raises everywhere a hash function is used (even when secure hash function, like SHA-256 is used) and S2070 raises only when a weak hash function is used (like MD5)
so the content/implementation of S2070 should "be moved" to S4790 (the key of the rule should be updated in SonarJava), because the type of issue (hotspot) is more relevant

Attachments

Issue Links

contributes to

MMF-2044 Java analyzer detects broken authentication and access control

Closed

depends upon

SONARJAVA-3388 Rule S2070 should support "org.springframework.util.DigestUtils"

Closed

implements

RSPEC-4790 Using weak hashing algorithms is security-sensitive

Active

Activity

People

Assignee:

Margarita Nedzelska

Reporter:

Eric Therond

Votes:

0 Vote for this issue

Watchers:

2 Start watching this issue

Dates

Due:

01/Oct/20

Created:

20/May/20 2:45 PM

Updated:

05/Oct/20 9:48 AM

Resolved:

05/Oct/20 9:48 AM