Java: add SHA384 to list of secure algorithms

2026-04-25 08:45:14 +02:00 · 2024-11-25 09:22:37 -05:00
parent c2b342f1a0
commit 05b6700607
3 changed files with 9 additions and 2 deletions
--- a/java/ql/lib/semmle/code/java/security/Encryption.qll
+++ b/java/ql/lib/semmle/code/java/security/Encryption.qll
@@ -246,7 +246,7 @@ string getInsecureAlgorithmRegex() {
 string getASecureAlgorithmName() {
  result =
    [
-      "RSA", "SHA-?256", "SHA-?512", "CCM", "GCM", "AES(?![^a-zA-Z](ECB|CBC/PKCS[57]Padding))",
+      "RSA", "SHA-?(256|384|512)", "CCM", "GCM", "AES(?![^a-zA-Z](ECB|CBC/PKCS[57]Padding))",
      "Blowfish", "ECIES", "SHA3-(256|384|512)"
    ]
 }
--- a/java/ql/src/change-notes/2024-11-24-sha2.md
+++ b/java/ql/src/change-notes/2024-11-24-sha2.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added SHA-384 to the list of secure hashing algorithms. As a result the `java/potentially-weak-cryptographic-algorithm` query should no longer flag up uses of SHA-384.
--- a/java/ql/test/query-tests/security/CWE-327/semmle/tests/WeakHashing.java
+++ b/java/ql/test/query-tests/security/CWE-327/semmle/tests/WeakHashing.java
@@ -19,7 +19,7 @@ public class WeakHashing {

        // BAD: Using a strong hashing algorithm but with a weak default
        MessageDigest bad3 = MessageDigest.getInstance(props.getProperty("hashAlg2", "MD5"));
-        
+
        // GOOD: Using a strong hashing algorithm
        MessageDigest ok = MessageDigest.getInstance(props.getProperty("hashAlg2"));

@@ -28,5 +28,8 @@ public class WeakHashing {

        // GOOD: Using a strong hashing algorithm
        MessageDigest ok3 = MessageDigest.getInstance("SHA3-512");
+
+         // GOOD: Using a strong hashing algorithm
+        MessageDigest ok4 = MessageDigest.getInstance("SHA384");
    }
 }