Merge pull request #18084 from github/aibaars/java-sha3

Java: add SHA3 family to list of secure crypto algorithms
2026-04-25 08:45:14 +02:00 · 2024-11-25 15:07:43 +01:00
parent d5c8dfd88c 5eb91fd516
commit c2b342f1a0
3 changed files with 9 additions and 2 deletions
--- a/java/ql/lib/semmle/code/java/security/Encryption.qll
+++ b/java/ql/lib/semmle/code/java/security/Encryption.qll
@@ -247,7 +247,7 @@ string getASecureAlgorithmName() {
  result =
    [
      "RSA", "SHA-?256", "SHA-?512", "CCM", "GCM", "AES(?![^a-zA-Z](ECB|CBC/PKCS[57]Padding))",
-      "Blowfish", "ECIES"
+      "Blowfish", "ECIES", "SHA3-(256|384|512)"
    ]
 }

--- a/java/ql/src/change-notes/2024-11-22-sha3.md
+++ b/java/ql/src/change-notes/2024-11-22-sha3.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added SHA3 to the list of secure hashing algorithms. As a result the `java/potentially-weak-cryptographic-algorithm` query should no longer flag up uses of SHA3.
--- a/java/ql/test/query-tests/security/CWE-327/semmle/tests/WeakHashing.java
+++ b/java/ql/test/query-tests/security/CWE-327/semmle/tests/WeakHashing.java
@@ -25,5 +25,8 @@ public class WeakHashing {

        // OK: Property does not exist and default is secure
        MessageDigest ok2 = MessageDigest.getInstance(props.getProperty("hashAlg3", "SHA-256"));
+
+        // GOOD: Using a strong hashing algorithm
+        MessageDigest ok3 = MessageDigest.getInstance("SHA3-512");
    }
-}
+}