Skip to content

Commit

Permalink
Merge pull request #18087 from jcogs33/jcogs33/java-sha2
Browse files Browse the repository at this point in the history
Java: add SHA-384 to list of secure crypto algorithms
  • Loading branch information
jcogs33 authored Nov 26, 2024
2 parents 6d6f269 + 05b6700 commit 36acfeb
Show file tree
Hide file tree
Showing 3 changed files with 9 additions and 2 deletions.
2 changes: 1 addition & 1 deletion java/ql/lib/semmle/code/java/security/Encryption.qll
Original file line number Diff line number Diff line change
Expand Up @@ -246,7 +246,7 @@ string getInsecureAlgorithmRegex() {
string getASecureAlgorithmName() {
result =
[
"RSA", "SHA-?256", "SHA-?512", "CCM", "GCM", "AES(?![^a-zA-Z](ECB|CBC/PKCS[57]Padding))",
"RSA", "SHA-?(256|384|512)", "CCM", "GCM", "AES(?![^a-zA-Z](ECB|CBC/PKCS[57]Padding))",
"Blowfish", "ECIES", "SHA3-(256|384|512)"
]
}
Expand Down
4 changes: 4 additions & 0 deletions java/ql/src/change-notes/2024-11-24-sha2.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Added SHA-384 to the list of secure hashing algorithms. As a result the `java/potentially-weak-cryptographic-algorithm` query should no longer flag up uses of SHA-384.
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ void hashing() throws NoSuchAlgorithmException, IOException {

// BAD: Using a strong hashing algorithm but with a weak default
MessageDigest bad3 = MessageDigest.getInstance(props.getProperty("hashAlg2", "MD5"));

// GOOD: Using a strong hashing algorithm
MessageDigest ok = MessageDigest.getInstance(props.getProperty("hashAlg2"));

Expand All @@ -28,5 +28,8 @@ void hashing() throws NoSuchAlgorithmException, IOException {

// GOOD: Using a strong hashing algorithm
MessageDigest ok3 = MessageDigest.getInstance("SHA3-512");

// GOOD: Using a strong hashing algorithm
MessageDigest ok4 = MessageDigest.getInstance("SHA384");
}
}

0 comments on commit 36acfeb

Please sign in to comment.