java.lang.security.audit.crypto.weak-hash.use-of-md5

Verifed by r2c
Community Favorite
profile photo of returntocorpreturntocorp
Author
121,021
Download Count*
LGPL Commons Clause
License

Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: use-of-md5
    message: Detected MD5 hash algorithm which is considered insecure. MD5 is not
      collision resistant and is therefore not suitable as a cryptographic
      signature. Use SHA256 or SHA3 instead.
    languages:
      - java
    severity: WARNING
    metadata:
      owasp: "A9: Using Components with Known Vulnerabilities"
      cwe: "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
      source-rule-url: https://find-sec-bugs.github.io/bugs.htm#WEAK_MESSAGE_DIGEST_MD5
      asvs:
        section: V6 Stored Cryptography Verification Requirements
        control_id: 6.2.5 Insecure Algorithm
        control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms
      category: security
      technology:
        - java
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    pattern-either:
      - pattern: |
          MessageDigest $VAR = $MD.getInstance("MD5");
      - pattern: |
          $DU.getMd5Digest().digest(...)

Examples

weak-hash.java

import java.security.MessageDigest;
import org.apache.commons.codec.digest.DigestUtils;

public class WeakHashes {
  public byte[] sha1(String password) {
      // ruleid: use-of-sha1
      MessageDigest sha1Digest = MessageDigest.getInstance("SHA1");
      sha1Digest.update(password.getBytes());
      byte[] hashValue = sha1Digest.digest();
      return hashValue;
  }
  public byte[] sha1_digestutil(String password) {
    // ruleid: use-of-sha1
    byte[] hashValue = DigestUtils.getSha1Digest().digest(password.getBytes());
    return hashValue;
  }

  public byte[] md5(String password) {
    // ruleid: use-of-md5
    MessageDigest md5Digest = MessageDigest.getInstance("MD5");
    md5Digest.update(password.getBytes());
    byte[] hashValue = md5Digest.digest();
    return hashValue;
  }

  public byte[] md5_digestutil(String password) {
    // ruleid: use-of-md5
    byte[] hashValue = DigestUtils.getMd5Digest().digest(password.getBytes());
    return hashValue;
  }
}