kotlin.lang.security.use-of-sha1.use-of-sha1

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: use-of-sha1
    message: Detected SHA1 hash algorithm which is considered insecure. SHA1 is not
      collision resistant and is therefore not suitable as a cryptographic
      signature. Use SHA256 or SHA3 instead.
    languages:
      - kt
    severity: WARNING
    metadata:
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      cwe:
        - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
      source-rule-url: https://find-sec-bugs.github.io/bugs.htm#WEAK_MESSAGE_DIGEST_SHA1
      asvs:
        section: V6 Stored Cryptography Verification Requirements
        control_id: 6.2.5 Insecure Algorithm
        control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms
        version: "4"
      category: security
      technology:
        - kotlin
      references:
        - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
      subcategory:
        - vuln
      likelihood: LOW
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cryptographic Issues
    pattern-either:
      - patterns:
          - pattern: |
              $VAR = $MD.getInstance("$ALGO")
          - metavariable-regex:
              metavariable: $ALGO
              regex: (SHA1|SHA-1)
      - pattern: |
          $DU.getSha1Digest().digest(...)

Examples

use-of-sha1.kt

import java.security.MessageDigest
import org.apache.commons.codec.digest.DigestUtils

public class WeakHashes {
  public fun sha1(password: String): Array<Byte> {
      // ruleid: use-of-sha1
      var sha1Digest: MessageDigest = MessageDigest.getInstance("SHA1")
      sha1Digest.update(password.getBytes())
      val hashValue: Array<Byte> = sha1Digest.digest()
      return hashValue
  }
  public fun sha1b(password: String): Array<Byte> {
      // ruleid: use-of-sha1
      var sha1Digest: MessageDigest = MessageDigest.getInstance("SHA-1")
      sha1Digest.update(password.getBytes())
      val hashValue: Array<Byte> = sha1Digest.digest()
      return hashValue
  }
  public fun sha1_digestutil(password: String): Array<Byte> {
    // ruleid: use-of-sha1
    val hashValue: Array<Byte> = DigestUtils.getSha1Digest().digest(password.getBytes())
    return hashValue
  }
}