php.lang.security.md5-used-as-password.md5-used-as-password

rules:
  - id: md5-used-as-password
    severity: WARNING
    message: It looks like MD5 is used as a password hash. MD5 is not considered a
      secure password hash because it can be cracked by an attacker in a short
      amount of time. Use a suitable password hashing function such as bcrypt.
      You can use `password_hash($PASSWORD, PASSWORD_BCRYPT, $OPTIONS);`.
    languages:
      - php
    metadata:
      cwe:
        - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      references:
        - https://tools.ietf.org/html/rfc6151
        - https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision
        - https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords
        - https://github.com/returntocorp/semgrep-rules/issues/1609
        - https://www.php.net/password_hash
      category: security
      technology:
        - md5
      subcategory:
        - vuln
      likelihood: HIGH
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    mode: taint
    pattern-sources:
      - patterns:
          - pattern-either:
              - pattern: md5(...)
              - pattern: hash('md5', ...)
    pattern-sinks:
      - patterns:
          - pattern: $FUNCTION(...)
          - metavariable-regex:
              metavariable: $FUNCTION
              regex: (?i)(.*password.*)