Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merge Develop into Release #3544

Open
wants to merge 2 commits into
base: release
Choose a base branch
from
Open

Conversation

r2c-argo[bot]
Copy link
Contributor

@r2c-argo r2c-argo bot commented Dec 21, 2024

Created automatically with the Argo bot using the Argo workflow in release-workflow.yaml

Sjord and others added 2 commits December 20, 2024 08:50
MD5 and SHA1 are insecure hash functions. These have their own function names (`md5(...)`, `sha1(...)`) but can also be calculated using `hash('md5', ...)` and `hash('sha1', ...)`. Also find these instances and report them as weak crypto.

Also, write out all function names as function calls instead of matching them with a regular expression, for readability and performance reasons.
SHA224 and other hashes with 224 bits are currently on the edge of what is considered a secure hash function. The Australian Cyber Security Center and NIST have indicated that SHA224 is going to be deprecated in the future.

This adds a rule to detect SHA224 and similar hashes. It is distinct from the existing MD5 and SHA1 rules, because those are currently a security problem, and SHA224 is more of a future compliance problem.

Co-authored-by: Claudio <claudio@r2c.dev>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

1 participant