use-of-md5-java

Sakshis · Sakshis · commit 66159072da23 · 2024-12-16T06:11:14.000Z
diff --git a/rules/java/security/use-of-md5-java.yml b/rules/java/security/use-of-md5-java.yml
@@ -0,0 +1,20 @@
+id: use-of-md5-java
+severity: warning
+language: java
+message: >-
+  Detected MD5 hash algorithm which is considered insecure. MD5 is not
+  collision resistant and is therefore not suitable as a cryptographic
+  signature. Use HMAC instead.
+note: >-
+  [CWE-328] Use of Weak Hash.
+  [REFERENCES]
+      - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
+rule:
+  any:
+    - pattern: java.security.MessageDigest.getInstance($ALGO)
+    - pattern: java.security.MessageDigest.getInstance($ALGO, $$$)
+    - pattern: MessageDigest.getInstance($ALGO)
+    - pattern: MessageDigest.getInstance($ALGO, $$$)
+constraints:
+  ALGO:
+    regex: 'MD5'
diff --git a/tests/__snapshots__/use-of-md5-java-snapshot.yml b/tests/__snapshots__/use-of-md5-java-snapshot.yml
@@ -0,0 +1,9 @@
+id: use-of-md5-java
+snapshots:
+  ? |
+    MessageDigest md5Digest = MessageDigest.getInstance("MD5");
+  : labels:
+    - source: MessageDigest.getInstance("MD5")
+      style: primary
+      start: 26
+      end: 58
diff --git a/tests/java/use-of-md5-java-test.yml b/tests/java/use-of-md5-java-test.yml
@@ -0,0 +1,7 @@
+id: use-of-md5-java
+valid:
+  - |
+    MessageDigest md5Digest = MessageDigest.getInstance("SHA-512");
+invalid:
+  - |
+    MessageDigest md5Digest = MessageDigest.getInstance("MD5");
