ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S2070/java/rule.adoc

57 lines
2.4 KiB
Plaintext
Raw Normal View History

Add rules 2000-2999
2020-06-30 12:48:07 +02:00
The MD5 algorithm and its successor, SHA-1, are no longer considered secure, because it is too easy to create hash collisions with them. That is, it takes too little computational effort to come up with a different input that produces the same MD5 or SHA-1 hash, and using the new, same-hash value gives an attacker the same access as if he had the originally-hashed value. This applies as well to the other Message-Digest algorithms: MD2, MD4, MD6, HAVAL-128, HMAC-MD5, DSA (which uses SHA-1), RIPEMD, RIPEMD-128, RIPEMD-160, HMACRIPEMD160.
Force linebreaks
2021-02-02 15:02:10 +01:00
Add rules 2000-2999
2020-06-30 12:48:07 +02:00
The following APIs are tracked for use of obsolete crypto algorithms:
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space
2020-06-30 14:49:38 +02:00
make in-line code blocks verbatim
2021-01-27 13:42:22 +01:00
* ``++java.security.AlgorithmParameters++`` (JDK)
* ``++java.security.AlgorithmParameterGenerator++`` (JDK)
* ``++java.security.MessageDigest++`` (JDK)
* ``++java.security.KeyFactory++`` (JDK)
* ``++java.security.KeyPairGenerator++`` (JDK)
* ``++java.security.Signature++`` (JDK)
Fix the double-plus ++ handling in the inline-code
2021-01-27 16:55:38 +01:00
* ``++javax.crypto.Mac++`` (JDK)
make in-line code blocks verbatim
2021-01-27 13:42:22 +01:00
* ``++javax.crypto.KeyGenerator++`` (JDK)
* ``++org.apache.commons.codec.digest.DigestUtils++`` (Apache Commons Codec)
* ``++org.springframework.util.DigestUtils++``
* ``++com.google.common.hash.Hashing++`` (Guava)
* ``++org.springframework.security.authentication.encoding.ShaPasswordEncoder++`` (Spring Security 4.2.x)
* ``++org.springframework.security.authentication.encoding.Md5PasswordEncoder++`` (Spring Security 4.2.x)
* ``++org.springframework.security.crypto.password.LdapShaPasswordEncoder++`` (Spring Security 5.0.x)
* ``++org.springframework.security.crypto.password.Md4PasswordEncoder++`` (Spring Security 5.0.x)
* ``++org.springframework.security.crypto.password.MessageDigestPasswordEncoder++`` (Spring Security 5.0.x)
* ``++org.springframework.security.crypto.password.NoOpPasswordEncoder++`` (Spring Security 5.0.x)
* ``++org.springframework.security.crypto.password.StandardPasswordEncoder++`` (Spring Security 5.0.x)
Add rules 2000-2999
2020-06-30 12:48:07 +02:00
Consider using safer alternatives, such as SHA-256, SHA-3 or adaptive one way functions like bcrypt or PBKDF2.
== Noncompliant Code Example
RULEAPI-661: Add syntax coloring
2022-02-04 17:28:24 +01:00
[source,java]
Add rules 2000-2999
2020-06-30 12:48:07 +02:00
----
MessageDigest md = MessageDigest.getInstance("SHA1"); // Noncompliant
----
== Compliant Solution
RULEAPI-661: Add syntax coloring
2022-02-04 17:28:24 +01:00
[source,java]
Add rules 2000-2999
2020-06-30 12:48:07 +02:00
----
MessageDigest md = MessageDigest.getInstance("SHA-256");
----
include::../see.adoc[]
Export comments and rspec-to-rspec links from jira
2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction
2021-06-03 09:05:38 +02:00
ifdef::env-github,rspecator-view[]
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346)
2021-09-20 15:38:42 +02:00
'''
== Implementation Specification
(visible only on this page)
include::../message.adoc[]
RULEAPI-576: add a horizontal rule between rule description and comments
2021-06-08 15:52:13 +02:00
'''
Export comments and rspec-to-rspec links from jira
2021-06-02 20:44:38 +02:00
== Comments And Links
(visible only on this page)
include::../comments-and-links.adoc[]
Fix the comment display: rule-id, timestamp, GH visibility, link direction
2021-06-03 09:05:38 +02:00
endif::env-github,rspecator-view[]
Reference in New Issue Copy Permalink