diff --git a/java/ql/lib/semmle/code/java/security/Encryption.qll b/java/ql/lib/semmle/code/java/security/Encryption.qll index 1b28f5cbba61..dae80b19be19 100644 --- a/java/ql/lib/semmle/code/java/security/Encryption.qll +++ b/java/ql/lib/semmle/code/java/security/Encryption.qll @@ -247,7 +247,7 @@ string getASecureAlgorithmName() { result = [ "RSA", "SHA-?256", "SHA-?512", "CCM", "GCM", "AES(?![^a-zA-Z](ECB|CBC/PKCS[57]Padding))", - "Blowfish", "ECIES" + "Blowfish", "ECIES", "SHA3-(256|384|512)" ] } diff --git a/java/ql/src/change-notes/2024-11-22-sha3.md b/java/ql/src/change-notes/2024-11-22-sha3.md new file mode 100644 index 000000000000..61dbc35162e1 --- /dev/null +++ b/java/ql/src/change-notes/2024-11-22-sha3.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* Added SHA3 to the list of secure hashing algorithms. As a result the `java/potentially-weak-cryptographic-algorithm` query should no longer flag up uses of SHA3. diff --git a/java/ql/test/query-tests/security/CWE-327/semmle/tests/WeakHashing.java b/java/ql/test/query-tests/security/CWE-327/semmle/tests/WeakHashing.java index 6a3565fc1412..8858576cb904 100644 --- a/java/ql/test/query-tests/security/CWE-327/semmle/tests/WeakHashing.java +++ b/java/ql/test/query-tests/security/CWE-327/semmle/tests/WeakHashing.java @@ -25,5 +25,8 @@ void hashing() throws NoSuchAlgorithmException, IOException { // OK: Property does not exist and default is secure MessageDigest ok2 = MessageDigest.getInstance(props.getProperty("hashAlg3", "SHA-256")); + + // GOOD: Using a strong hashing algorithm + MessageDigest ok3 = MessageDigest.getInstance("SHA3-512"); } -} \ No newline at end of file +}