Uploaded image for project: 'SonarSwift'
  1. SonarSwift
  2. SONARSWIFT-457

Rule S4790: Using weak hashing algorithms is security-sensitive

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 4.3
    • Component/s: Rules

      Description

      The content/implementation of S2070 should "be moved" to S4790 (the key of the rule should be updated).
      The issue message should also be updates:

      CC_MD5(data.bytes, CC_LONG(data.length), &digest) // Noncompliant {{Make sure this weak hash algorithm is not used in a sensitive context here.}}
      

      Hardening of ITs

      The ITs should cover the latest API of CryptoSwift:

      let bytes:Array<UInt8> = [0x01, 0x02, 0x03]
      let digest1 = input.md5() // Noncompliant
      let digest2 = Digest.md5(bytes) // Noncompliant
      
      var hash = "123".md5()  // Noncompliant
      hash = data.md5() // Noncompliant
      hash = data.sha1() // Noncompliant
      hash = data.sha224() // Compliant
      hash = data.sha256() // Compliant
      hash = data.sha384() // Compliant
      hash = data.sha512() // Compliant
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                margarita.nedzelska Margarita Nedzelska
                Reporter:
                pierre-loup.tristant Pierre-Loup Tristant
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Due:
                  Created:
                  Updated:
                  Resolved: