• Home
• org.codehaus.sonar-plugins.java
• java-checks
• 3.2
• source code
• S2070.html

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.sonar.l10n.java.rules.squid.S2070.html Maven / Gradle / Ivy

The MD5 algorithm and its successor, SHA-1, are no longer considered secure, because it is too easy to create hash collisions with them. That is, it takes too little computational effort to come up with a different input that produces the same MD5 or SHA-1 hash, and using the new, same-hash value gives an attacker the same access as if he had the originally-hashed value. This applies as well to the other Message-Digest algorithms: MD2, MD4, MD6.
This rule tracks usage of the java.security.MessageDigest, and org.apache.commons.codec.digest.DigestUtils classes  to instantiate MD or SHA-1 algorithms, and of Guava's com.google.common.hash.Hashing sha1 and md5 methods. 
Noncompliant Code Example

MessageDigest md = MessageDigest.getInstance("SHA1");  // Noncompliant

Compliant Solution

MessageDigest md = MessageDigest.getInstance("SHA-256");

or
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING");

See


 MITRE, CWE-328 - Reversible One-Way Hash
 MITRE, CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
 OWASP Top Ten 2013 Category A6 - Sensitive Data Exposure
 SANS Top 25 - Porous Defenses
 Derived from FindSecBugs rule MessageDigest Is Weak