Skip to content

Java: Improve weak crypto query #17869

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jcogs33 merged 1 commit into from
Nov 24, 2024
Merged

Java: Improve weak crypto query #17869

jcogs33 merged 1 commit into from
Nov 24, 2024

Conversation

@jcogs33
Copy link
Contributor

@jcogs33 jcogs33 commented Oct 30, 2024
edited
Loading

Description

Removes weak hash algorithms such as MD5 and SHA1 from java/weak-cryptographic-algorithm and adds these cases to java/potentially-weak-cryptographic-algorithm instead.

The removal of weak hash algorithms from java/weak-cryptographic-algorithm aligns with other languages, e.g. #11129.

Consideration

Let me know if there is any concern with changing the behavior of rankedInsecureAlgorithm instead of doing the exclusion for java/weak-cryptographic-algorithm directly in BrokenAlgoLiteral? I chose to do the exclusion in rankedInsecureAlgorithm since doing so automatically adds the weak hash cases to java/potentially-weak-cryptographic-algorithm due to this code.

Note that there were some overlapping results between the two queries for cases where a weak hash algorithm string literal is used as the default value in a getProperty call (e.g. the "MD5" value in this test case). In order to avoid duplicate results for these cases in the java/potentially-weak-cryptographic-algorithm query, I've added an exclusion to InsecureAlgoLiteral.

@jcogs33 jcogs33 force-pushed the jcogs33/improve-weak-crypto branch from 8fbd6bf to 459d168 Compare November 3, 2024 23:22
@jcogs33
Copy link
Contributor Author

jcogs33 commented Nov 3, 2024

DCA alert changes look reasonable.

@jcogs33 jcogs33 changed the title [DRAFT] Java: Improve weak crypto query Java: Improve weak crypto query Nov 3, 2024
@jcogs33 jcogs33 marked this pull request as ready for review November 3, 2024 23:34
@jcogs33 jcogs33 requested a review from a team as a code owner November 3, 2024 23:34
egregius313
egregius313 approved these changes Nov 21, 2024
View reviewed changes
Copy link
Contributor

@egregius313 egregius313 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jcogs33 jcogs33 linked an issue Nov 24, 2024 that may be closed by this pull request
Java: Noisiness of java/weak-cryptographic-algorithm / MD5 detection #17836
Closed
@jcogs33 jcogs33 merged commit f004569 into github:main Nov 24, 2024
10 checks passed
@jcogs33 jcogs33 mentioned this pull request Nov 24, 2024
Closed
@jcogs33 jcogs33 deleted the jcogs33/improve-weak-crypto branch November 24, 2024 17:06
@vlkl-sap
Copy link

vlkl-sap commented Dec 19, 2024

Hello,
this change has caused dismissed alerts to be reopened for us. This causes a lot of user misgivings and is, in general, not OK.

I kindly ask that GitHub:

  1. weighs this cost when making query changes
  2. develops technical mitigations for this problem (i.e., migration of dismissed alerts). This is not the first nor the last time this problem arises.
  3. clearly and explicitly announces such occurrences

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@egregius313 egregius313 egregius313 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

documentation Java

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Java: Noisiness of java/weak-cryptographic-algorithm / MD5 detection

3 participants

@jcogs33 @vlkl-sap @egregius313