kotlin.lang.security.use-of-sha1.use-of-sha1
returntocorpAuthor
unknown
Download Count*
License
Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.
Run Locally
Run in CI
Defintion
rules:
- id: use-of-sha1
message: Detected SHA1 hash algorithm which is considered insecure. SHA1 is not
collision resistant and is therefore not suitable as a cryptographic
signature. Use SHA256 or SHA3 instead.
languages:
- kt
severity: WARNING
metadata:
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
cwe:
- "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
source-rule-url: https://find-sec-bugs.github.io/bugs.htm#WEAK_MESSAGE_DIGEST_SHA1
asvs:
section: V6 Stored Cryptography Verification Requirements
control_id: 6.2.5 Insecure Algorithm
control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms
version: "4"
category: security
technology:
- kotlin
references:
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
subcategory:
- vuln
likelihood: LOW
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
pattern-either:
- pattern: |
$VAR = $MD.getInstance("SHA1")
- pattern: |
$DU.getSha1Digest().digest(...)
Examples
use-of-sha1.kt
import java.security.MessageDigest
import org.apache.commons.codec.digest.DigestUtils
public class WeakHashes {
public fun sha1(password: String): Array<Byte> {
// ruleid: use-of-sha1
var sha1Digest: MessageDigest = MessageDigest.getInstance("SHA1")
sha1Digest.update(password.getBytes())
val hashValue: Array<Byte> = sha1Digest.digest()
return hashValue
}
public fun sha1_digestutil(password: String): Array<Byte> {
// ruleid: use-of-sha1
val hashValue: Array<Byte> = DigestUtils.getSha1Digest().digest(password.getBytes())
return hashValue
}
}
Short Link: https://sg.run/N1pp