java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests
Community Favorite
semgrep
Author
73,396
Download Count*
License
Cryptographic algorithms are notoriously difficult to get right. By implementing a custom message digest, you risk introducing security issues into your program. Use one of the many sound message digests already available to you: MessageDigest sha256Digest = MessageDigest.getInstance("SHA256");
Run Locally
Run in CI
Defintion
rules:
- id: avoid-implementing-custom-digests
metadata:
cwe:
- "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
source-rule-url: https://find-sec-bugs.github.io/bugs.htm#CUSTOM_MESSAGE_DIGEST
asvs:
section: V6 Stored Cryptography Verification Requirements
control_id: 6.2.2 Insecure Custom Algorithm
control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms
version: "4"
references:
- https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#custom-algorithms
category: security
technology:
- java
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
message: 'Cryptographic algorithms are notoriously difficult to get right. By
implementing a custom message digest, you risk introducing security issues
into your program. Use one of the many sound message digests already
available to you: MessageDigest sha256Digest =
MessageDigest.getInstance("SHA256");'
severity: WARNING
languages:
- java
pattern: |-
class $CLASS extends MessageDigest {
...
}
Examples
avoid-implementing-custom-digests.java
// ruleid: avoid-implementing-custom-digests
public class MyProprietaryMessageDigest extends MessageDigest {
@Override
protected byte[] engineDigest() {
return "";
}
}
// ok: avoid-implementing-custom-digests
public class NotMessageDigest {
public NotMessageDigest() {
System.out.println("");
}
}
Short Link: https://sg.run/PJ0p