Create rule S5344: Passwords should not be stored in plaintext or with a fast hashing algorithm (#4655)

* Add go to rule S5344 * Add description for S5344 for Go * Add message * Extend message * Update rules/S5344/go/message.adoc Co-authored-by: teemu-rytilahti-sonarsource <teemu.rytilahti@sonarsource.com> * Update rules/S5344/go/message.adoc Co-authored-by: teemu-rytilahti-sonarsource <teemu.rytilahti@sonarsource.com> --------- Co-authored-by: daniel-teuchert-sonarsource <daniel-teuchert-sonarsource@users.noreply.github.com> Co-authored-by: Daniel Teuchert <daniel.teuchert@sonarsource.com> Co-authored-by: daniel-teuchert-sonarsource <141642369+daniel-teuchert-sonarsource@users.noreply.github.com> Co-authored-by: teemu-rytilahti-sonarsource <teemu.rytilahti@sonarsource.com>
2025-02-12 10:44:28 +01:00 · 2025-02-12 10:44:28 +01:00 · 4903879d09
commit 4903879d09
parent c79083491d
3 changed files with 80 additions and 0 deletions
--- a/rules/S5344/go/message.adoc
+++ b/rules/S5344/go/message.adoc
@ -0,0 +1,10 @@
+=== Message
+
+* Argon2i: "Use Argon2id instead of Argon2i"
+* Argon2id: "Use strong Argon2id parameters"
+* For scrypt: "Use strong scrypt parameters"
+* For PBKDF2: "Use at least ``+{min_iterations}+`` PBKDF2 iterations"
+** If `hash_name` is `"sha1"`, then min_iterations is 1,300,000
+** If `hash_name` is `"sha256"`, then min_iterations is 600,000
+** If `hash_name` is `"sha512"`, then min_iterations is 210,000
+* For bcrypt: "Use at least 10 rounds of bcrypt"
--- a/rules/S5344/go/metadata.json
+++ b/rules/S5344/go/metadata.json
@ -0,0 +1,2 @@
+{
+}
--- a/rules/S5344/go/rule.adoc
+++ b/rules/S5344/go/rule.adoc
@ -0,0 +1,68 @@
+include::../summary.adoc[]
+
+== Why is this an issue?
+
+include::../rationale.adoc[]
+
+include::../impact.adoc[]
+
+== How to fix it
+
+=== Code examples
+
+==== Noncompliant code example
+
+
+[source,go,diff-id=1,diff-type=noncompliant]
+----
+import (
+	"golang.org/x/crypto/argon2"
+)
+func passwordHashingArgon2(password string, salt []byte, w http.ResponseWriter) {
+	argon2IDHashWeak := argon2.IDKey([]byte(password), salt, 1, 32*1024, 1, 32) // Noncompliant: Use strong parameters
+}
+----
+
+
+==== Compliant solution
+
+
+[source,go,diff-id=1,diff-type=compliant]
+----
+import (
+	"golang.org/x/crypto/argon2"
+)
+func passwordHashingArgon2(password string, salt []byte, w http.ResponseWriter) {
+	argon2IDHashWeak := argon2.IDKey([]byte(password), salt, 1, 64*1024, 4, 32)
+}
+----
+
+
+=== How does this work?
+
+include::../common/fix/pbkdf2-parameters.adoc[]
+
+=== Going the extra mile
+
+include::../common/extra-mile/peppering.adoc[]
+
+
+
+
+== Resources
+
+include::../common/resources/documentation.adoc[]
+
+include::../common/resources/standards.adoc[]
+
+
+ifdef::env-github,rspecator-view[]
+
+'''
+== Implementation Specification
+(visible only on this page)
+
+include::message.adoc[]
+
+endif::env-github,rspecator-view[]
+