• Home
• org.codehaus.sonar-plugins.java
• java-checks
• 2.7
• source code
• S2070.html

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.sonar.l10n.java.rules.squid.S2070.html Maven / Gradle / Ivy

The MD5 algorithm and its successor, SHA-1, are no longer considered secure, because it is too easy to create hash collisions with them. That is, it takes too little computational effort to come up with a different input that produces the same MD5 or SHA-1 hash, and using the new, same-hash value gives an attacker the same access as if he had the originally-hashed value.

This rule tracks usage of the java.security.MessageDigest, and org.apache.commons.codec.digest.DigestUtils classes to instantiate MD5 or SHA-1 algorithms, and of Guava's com.google.common.hash.Hashing sha1 and md5 methods. 

Noncompliant Code Example
MessageDigest md = MessageDigest.getInstance("SHA1");  // Noncompliant


Compliant Solution
MessageDigest md = MessageDigest.getInstance("SHA-256");

or
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING");


See

	
MITRE, CWE-328 - Reversible One-Way Hash
	
MITRE, CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
	
OWASP Top Ten 2013 Category A6 - Sensitive Data Exposure
	
CWE/SANS TOP 25 Most Dangerous Software Errors