=== on 30 Sep 2014, 15:06:51 Ann Campbell wrote:
\[~nicolas.peru] please review

=== on 30 Sep 2014, 15:49:55 Nicolas Peru wrote:
Reviewed, corrected typo and update example.

=== on 12 Oct 2014, 17:28:38 Freddy Mallet wrote:
@Ann, I would make this rule also prevent use of MD5 which is even less secured than SHA-1. 


The title of this rule could then become :

* Unsecured SHA-1 and MD5 hash algorithms should not be used

The Non Compliant Code Example could be :

----
MessageDigest md = MessageDigest.getInstance("SHA-1");
String text = "This is some text";
md.update(text.getBytes("UTF-8"));
byte[] digest = md.digest();
----

And in Java, replacing SHA-1 by SHA-256 is an available remediation action. 

=== on 12 Dec 2014, 20:53:33 Sébastien Gioria wrote:
It's not only MD5, but all the MD-series algorithms who are not safe



=== on 15 Dec 2014, 15:04:34 Ann Campbell wrote:
Thanks [~sebastien.gioria]. Updated.

=== on 30 Aug 2018, 17:53:57 Andrei Epure wrote:
This list should also contain HAVAL-128


Also, according to http://valerieaurora.org/hash.html[this graph], RIPEMD-160 has not been found to have collisions and is in the same bucket with SHA-2 family algorithms - so it should be replaced in the list with RIPEMD-128 (which has been broken)

=== on 20 May 2020, 15:26:37 Eric Therond wrote:
Deprecated by S4790:

* we cannot guess the context where the weak hash function is used, so it's better to raise an hotspot
* we cannot maintain two rules on exactly the same subject