ocaml.lang.security.digest.ocamllint-digest

semgrep

Author

unknown

Download Count*

LGPL Commons Clause

License

Digest uses MD5 and should not be used for security purposes. Consider using SHA256 instead.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: ocamllint-digest
    pattern-either:
      - pattern: Digest.string
      - pattern: Digest.bytes
      - pattern: Digest.substring
      - pattern: Digest.subbytes
      - pattern: Digest.channel
      - pattern: Digest.file
    message: Digest uses MD5 and should not be used for security purposes. Consider
      using SHA256 instead.
    languages:
      - ocaml
    severity: WARNING
    metadata:
      category: security
      references:
        - https://v2.ocaml.org/api/Digest.html
      technology:
        - ocaml
      cwe: "CWE-328: Use of Weak Hash (4.12)"
      confidence: LOW
      likelihood: MEDIUM
      impact: MEDIUM
      subcategory:
        - audit
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Other

Examples

digest.ml

(* ruleid:ocamllint-digest *)
let a = Digest.string "asd" in
  Printf.printf "%s\n" a

Short Link: https://sg.run/kxXxA