File tree 3 files changed +151
-0
lines changed 3 files changed +151
-0
lines changed Original file line number Diff line number Diff line change 1+ id : insecure-hash-c
2+ language : c
3+ severity : warning
4+ message : >-
5+ This hashing algorithm is insecure. If this hash is used in a security
6+ context, such as password hashing, it should be converted to a stronger
7+ hashing algorithm.
8+ note : >-
9+ [CWE-328] Use of Weak Hash.
10+ [REFERENCES]
11+ - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
12+ utils :
13+ MATCH_PATTERN_ONE :
14+ kind : expression_statement
15+ has :
16+ stopBy : neighbor
17+ kind : call_expression
18+ all :
19+ - has :
20+ stopBy : neighbor
21+ kind : identifier
22+ regex : ^(EVP_md2|MD2|MD2_Final|MD2_Init|MD2_Update|MD2_options|EVP_md4|MD4|MD4_Final|MD4_Init|MD4_Transform|MD4_Update|EVP_md5|MD5|MD5_Final|MD5_Init|MD5_Transform|MD5_Update|EVP_sha1|SHA1_Final|SHA1_Init|SHA1_Transform|SHA1_Update)$
23+ - has :
24+ stopBy : neighbor
25+ kind : argument_list
26+
27+ MATCH_PATTERN_TWO :
28+ kind : expression_statement
29+ has :
30+ stopBy : neighbor
31+ kind : call_expression
32+ all :
33+ - has :
34+ stopBy : neighbor
35+ kind : identifier
36+ regex : " ^(EVP_MD_fetch|EVP_get_digestbyname)$"
37+ - has :
38+ stopBy : neighbor
39+ kind : argument_list
40+ has :
41+ stopBy : neighbor
42+ kind : identifier
43+ regex : ^(MD2|MD4|MD5|SHA1|SHA-1)$
44+
45+ MATCH_PATTERN_TWO_with_instance :
46+ kind : expression_statement
47+ all :
48+ - has :
49+ stopBy : neighbor
50+ kind : call_expression
51+ all :
52+ - has :
53+ stopBy : neighbor
54+ kind : identifier
55+ regex : " ^(EVP_MD_fetch|EVP_get_digestbyname)$"
56+ - has :
57+ stopBy : neighbor
58+ kind : argument_list
59+ has :
60+ stopBy : neighbor
61+ kind : identifier
62+ pattern : $Q
63+ - follows :
64+ stopBy : end
65+ kind : declaration
66+ has :
67+ stopBy : end
68+ kind : init_declarator
69+ all :
70+ - has :
71+ stopBy : neighbor
72+ kind : pointer_declarator
73+ has :
74+ stopBy : neighbor
75+ kind : identifier
76+ pattern : $Q
77+ - has :
78+ stopBy : neighbor
79+ kind : string_literal
80+ has :
81+ stopBy : neighbor
82+ kind : string_content
83+ regex : ^(MD2|MD4|MD5|SHA1|SHA-1)$
84+
85+ MATCH_PATTERN_THREE :
86+ kind : expression_statement
87+ has :
88+ stopBy : neighbor
89+ kind : call_expression
90+ all :
91+ - has :
92+ stopBy : neighbor
93+ kind : identifier
94+ regex : " ^(gcry_md_open|gcry_md_enable|gcry_md_read|gcry_md_extract|gcry_md_hash_buffers|gcry_md_hash_buffer)$"
95+ - has :
96+ stopBy : neighbor
97+ kind : argument_list
98+ has :
99+ stopBy : end
100+ kind : identifier
101+ regex : ^(GCRY_MD_MD2|GCRY_MD_MD4|GCRY_MD_MD5|GCRY_MD_SHA1)$
102+ rule :
103+ any :
104+ - kind : expression_statement
105+ any :
106+ - matches : MATCH_PATTERN_ONE
107+ - matches : MATCH_PATTERN_TWO
108+ - matches : MATCH_PATTERN_TWO_with_instance
109+ - matches : MATCH_PATTERN_THREE
Original file line number Diff line number Diff line change 1+ id : insecure-hash-c
2+ snapshots :
3+ ? |
4+ MD2_Init();
5+ SHA1_Init();
6+ const char *md4 = "MD4";
7+ EVP_MD_fetch(NULL, md4, NULL);
8+ EVP_get_digestbyname(md4);
9+ const char *sha1 = "SHA1";
10+ EVP_MD_fetch(NULL, sha1, NULL);
11+ EVP_get_digestbyname(sha1);
12+ : labels :
13+ - source : MD2_Init();
14+ style : primary
15+ start : 0
16+ end : 11
17+ - source : MD2_Init
18+ style : secondary
19+ start : 0
20+ end : 8
21+ - source : ()
22+ style : secondary
23+ start : 8
24+ end : 10
25+ - source : MD2_Init()
26+ style : secondary
27+ start : 0
28+ end : 10
Original file line number Diff line number Diff line change 1+ id : insecure-hash-c
2+ valid :
3+ - |
4+ MD5Final(digest,ctx);
5+ invalid :
6+ - |
7+ MD2_Init();
8+ SHA1_Init();
9+ const char *md4 = "MD4";
10+ EVP_MD_fetch(NULL, md4, NULL);
11+ EVP_get_digestbyname(md4);
12+ const char *sha1 = "SHA1";
13+ EVP_MD_fetch(NULL, sha1, NULL);
14+ EVP_get_digestbyname(sha1);
You can’t perform that action at this time.
0 commit comments