search

github / codeql

CodeQL: the libraries and queries that power security researchers around the world, as well as code scanning in GitHub Advanced Security
https://codeql.github.com
MIT License
7.73k stars 1.55k forks source link

[java] False positive #18082

Closed jcrichlake closed 18 hours ago

jcrichlake commented 3 days ago

Java SHA3 MessageDigest

CodeQL flags code using MessageDigest.getInstance("SHA3-512") as an insecure hash. But the linked CWE documentation as well as the NIST standard attached to the alert both list SHA3 as a valid hashing algorithm. This shouldn't be an issue.

Code samples or links to source code

Link to source

aibaars commented 3 days ago

Thanks for reporting!

I assume the alert was the result of the java/potentially-weak-cryptographic-algorithm query.

That query simply looks for usages of crypto algorithm names that are not in its list of known secure ones. This query has a fairly high false positive rate, and is therefore marked with @precision medium. We should probably add the SHA3 family to the list of known secure ones.

In the mean time you can run the java/weak-cryptographic-algorithm query instead. This query has higher precision and only reports usages of algorithms that are known to be insecure.

aibaars commented 3 days ago

Should be fixed by https://github.com/github/codeql/pull/18084