Gosec compiled from main branch.
Last committed hash: 2ae137abcf405533ad6e549e9363e58e4f6e8b7d
Go version (output of 'go version')
go1.22.4 linux/amd64
Operating system / Environment
Linux
Expected behavior
Currently, rule G401 detects the usage of outdated encryption and hashing algorithms.
Personally, I would categorize hashing algorithms with CWE-328, and encryption algorithms with CWE-327
Actual behavior
Usage of MD5 and SHA1 is detected as CWE-326.
Which is not informative enough.
Summary
Rule G401 covers multiple CWEs inaccurately.
Steps to reproduce the behavior
None.
gosec version
Gosec compiled from main branch. Last committed hash: 2ae137abcf405533ad6e549e9363e58e4f6e8b7d
Go version (output of 'go version')
go1.22.4 linux/amd64
Operating system / Environment
Linux
Expected behavior
Currently, rule G401 detects the usage of outdated encryption and hashing algorithms. Personally, I would categorize hashing algorithms with CWE-328, and encryption algorithms with CWE-327
Actual behavior
Usage of MD5 and SHA1 is detected as CWE-326. Which is not informative enough.