Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[java] False positive #18082

Open
jcrichlake opened this issue Nov 22, 2024 · 2 comments · May be fixed by #18084
Open

[java] False positive #18082

jcrichlake opened this issue Nov 22, 2024 · 2 comments · May be fixed by #18084
Labels
false-positive

Comments

@jcrichlake
Copy link

Java SHA3 MessageDigest

CodeQL flags code using MessageDigest.getInstance("SHA3-512") as an insecure hash. But the linked CWE documentation as well as the NIST standard attached to the alert both list SHA3 as a valid hashing algorithm. This shouldn't be an issue.

Code samples or links to source code

Link to source
@aibaars
Copy link
Contributor

aibaars commented Nov 22, 2024

Thanks for reporting!

I assume the alert was the result of the java/potentially-weak-cryptographic-algorithm query.

That query simply looks for usages of crypto algorithm names that are not in its list of known secure ones. This query has a fairly high false positive rate, and is therefore marked with @precision medium. We should probably add the SHA3 family to the list of known secure ones.

In the mean time you can run the
java/weak-cryptographic-algorithm query instead. This query has higher precision and only reports usages of algorithms that are known to be insecure.

@aibaars aibaars linked a pull request Nov 22, 2024 that will close this issue
Open
4 tasks
@aibaars
Copy link
Contributor

aibaars commented Nov 22, 2024

Should be fixed by #18084

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
false-positive
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Java: add SHA3 family to list of secure crypto algorithms github/codeql
2 participants
@aibaars @jcrichlake