clojure.lang.security.use-of-sha1.use-of-sha1
semgrepAuthor
unknown
Download Count*
License
Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications.
Run Locally
Run in CI
Defintion
rules:
- id: use-of-sha1
languages:
- clojure
severity: WARNING
message: Detected SHA1 hash algorithm which is considered insecure. SHA1 is not
collision resistant and is therefore not suitable as a cryptographic
signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512
for other hash function applications.
metadata:
references:
- https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
- https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
technology:
- clojure
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
cwe:
- "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
- "CWE-328: Use of Weak Hash"
category: security
subcategory:
- vuln
confidence: HIGH
likelihood: MEDIUM
impact: HIGH
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
- Insecure Hashing Algorithm
patterns:
- pattern-either:
- pattern: (MessageDigest/getInstance $ALGO)
- pattern: (java.security.MessageDigest/getInstance $ALGO)
- metavariable-regex:
metavariable: $ALGO
regex: (((org\.apache\.commons\.codec\.digest\.)?MessageDigestAlgorithms/)?"?(SHA-1|SHA1)"?)
Examples
use-of-sha1.clj
(import 'java.security.MessageDigest
'java.math.BigInteger)
(defn sha1 [s]
// ruleid: use-of-sha1
(let [algorithm (MessageDigest/getInstance "SHA-1")
size (* 2 (.getDigestLength algorithm))
raw (.digest algorithm (.getBytes s))
sig (.toString (BigInteger. 1 raw) 16)
padding (apply str (repeat (- size (count sig)) "0"))]
(str padding sig)))
(defn sha1b [s]
// ruleid: use-of-sha1
(let [algorithm (MessageDigest/getInstance MessageDigestAlgorithms/SHA-1)
size (* 2 (.getDigestLength algorithm))
raw (.digest algorithm (.getBytes s))
sig (.toString (BigInteger. 1 raw) 16)
padding (apply str (repeat (- size (count sig)) "0"))]
(str padding sig)))
(defn sha1c [s]
// ruleid: use-of-sha1
(let [algorithm (MessageDigest/getInstance org.apache.commons.codec.digest.MessageDigestAlgorithms/SHA-1)
size (* 2 (.getDigestLength algorithm))
raw (.digest algorithm (.getBytes s))
sig (.toString (BigInteger. 1 raw) 16)
padding (apply str (repeat (- size (count sig)) "0"))]
(str padding sig)))
(defn sha256 [s]
// ok: use-of-sha1
(let [algorithm (MessageDigest/getInstance "SHA-256")
size (* 2 (.getDigestLength algorithm))
raw (.digest algorithm (.getBytes s))
sig (.toString (BigInteger. 1 raw) 16)
padding (apply str (repeat (- size (count sig)) "0"))]
(str padding sig)))
(defn sha256b [s]
// ok: use-of-sha1
(let [algorithm (MessageDigest/getInstance MessageDigestAlgorithms/SHA-256)
size (* 2 (.getDigestLength algorithm))
raw (.digest algorithm (.getBytes s))
sig (.toString (BigInteger. 1 raw) 16)
padding (apply str (repeat (- size (count sig)) "0"))]
(str padding sig)))
(defn sha256c [s]
// ok: use-of-sha1
(let [algorithm (MessageDigest/getInstance org.apache.commons.codec.digest.MessageDigestAlgorithms/SHA-256)
size (* 2 (.getDigestLength algorithm))
raw (.digest algorithm (.getBytes s))
sig (.toString (BigInteger. 1 raw) 16)
padding (apply str (repeat (- size (count sig)) "0"))]
(str padding sig)))
Short Link: https://sg.run/dvwX