Uploaded image for project: 'SonarKotlin'
  1. SonarKotlin
  2. SONARKT-8

Rule S4790 Using weak hashing algorithms is security-sensitive

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.0
    • Component/s: None
    • Labels:

      Description

      New rule to implement

      Should raise on MessageDigest.getInstance when the argument is equals to:

      • MD2
      • MD4
      • MD5
      • SHA
      • SHA-0
      • SHA-1
      • SHA-224
      MessageDigest md1 = MessageDigest.getInstance("SHA");  // Sensitive:  SHA is not a standard name, for most security providers it's an alias of SHA-1
      MessageDigest md2 = MessageDigest.getInstance("SHA1");  // Sensitive
      
      MessageDigest md1 = MessageDigest.getInstance("SHA-512"); // Compliant
      

      Code examples: https://github.com/SonarSource/security-expected-issues/pull/429

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              margarita.nedzelska Margarita Nedzelska
              Reporter:
              eric.therond Eric Therond (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Due:
                Created:
                Updated:
                Resolved: