Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[java] False positive #18082

Closed
jcrichlake opened this issue Nov 22, 2024 · 2 comments · Fixed by #18084
Closed

[java] False positive #18082

jcrichlake opened this issue Nov 22, 2024 · 2 comments · Fixed by #18084

Comments

@jcrichlake
Copy link

Java SHA3 MessageDigest

CodeQL flags code using MessageDigest.getInstance("SHA3-512") as an insecure hash. But the linked CWE documentation as well as the NIST standard attached to the alert both list SHA3 as a valid hashing algorithm. This shouldn't be an issue.

Code samples or links to source code

Link to source

@aibaars
Copy link
Contributor

aibaars commented Nov 22, 2024

Thanks for reporting!

I assume the alert was the result of the java/potentially-weak-cryptographic-algorithm query.

That query simply looks for usages of crypto algorithm names that are not in its list of known secure ones. This query has a fairly high false positive rate, and is therefore marked with @precision medium. We should probably add the SHA3 family to the list of known secure ones.

In the mean time you can run the
java/weak-cryptographic-algorithm query instead. This query has higher precision and only reports usages of algorithms that are known to be insecure.

@aibaars
Copy link
Contributor

aibaars commented Nov 22, 2024

Should be fixed by #18084

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants