cryptographic misuse rules

[firmianay]

Is it possible to add a check item for misuse of cryptography, such as MD5, which has been regarded as insecure, the check method may be an insecure-api-MD5_Init.yaml

[0xdea]

It's certainly possible to check for potentially insecure code patterns related to cryptographic functions. In fact, here's a simple example: https://github.com/0xdea/semgrep-rules/blob/main/generic/bad-words.yaml#L49

That said, I haven't included specific rules for C/C++ as these languages do not have built-in cryptographic libraries. I'll leave the issue open and perhaps I'll add some specific rules for OpenSSL (e.g., https://linux.die.net/man/3/md5_init) in the future.

Thank you for the suggestion!

[firmianay]

Thanks for the explanation, looking forward to more rule updates~