43 lines
1.2 KiB
Plaintext
43 lines
1.2 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
----
|
|
MessageDigest md1 = MessageDigest.getInstance("SHA"); // Sensitive: SHA is not a standard name, for most security providers it's an alias of SHA-1
|
|
MessageDigest md2 = MessageDigest.getInstance("SHA1"); // Sensitive
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
[source,java]
|
|
----
|
|
MessageDigest md1 = MessageDigest.getInstance("SHA-512"); // Compliant
|
|
----
|
|
|
|
include::../see-mobile.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
include::../highlighting.adoc[]
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
=== on 14 Sep 2018, 19:06:56 Nicolas Harraudeau wrote:
|
|
The goal is to highlight code that initiates a hashing process. The Hash functions can be used by many different classes and it would be too complicated to list them all. Thus we detect the requests for hashing functions themselves, or the shortcut functions which hash without asking for a hash function (ex: ``++org.apache.commons.codec.digest.DigestUtils.sha1(data)++``).
|
|
|
|
include::../comments-and-links.adoc[]
|
|
|
|
endif::env-github,rspecator-view[]
|