[SONARKT-8] Rule S4790 Using weak hashing algorithms is security-sensitive - SonarSource

XML

Word

Printable

Details

Type: New Feature
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 2.0
Component/s: None
Labels:
- Rules

Description

New rule to implement

Should raise on MessageDigest.getInstance when the argument is equals to:

MD2
MD4
MD5
SHA
SHA-0
SHA-1
SHA-224

MessageDigest md1 = MessageDigest.getInstance("SHA");  // Sensitive:  SHA is not a standard name, for most security providers it's an alias of SHA-1
MessageDigest md2 = MessageDigest.getInstance("SHA1");  // Sensitive

MessageDigest md1 = MessageDigest.getInstance("SHA-512"); // Compliant

Code examples: https://github.com/SonarSource/security-expected-issues/pull/429

Attachments

Issue Links

implements

RSPEC-4790 Using weak hashing algorithms is security-sensitive

Active

Activity

People

Assignee:: Margarita Nedzelska

Reporter:: Eric Therond (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Due:: 25/May/21

Created:: 21/Apr/21 5:53 PM

Updated:: 28/May/21 2:52 PM

Resolved:: 26/May/21 2:45 PM