Ruby: Noisiness of rb/weak-cryptographic-algorithm / MD5 detection #11107
Labels
question
Further information is requested
Comments
|
Confirmed - we have extreme noise from this cluttering up every new branch we create. |
turbo
changed the title
|
Hi all 👋, Thank you for reporting this. We are aware of an increased amount of alerts caused by recent changes to this query, and a currently working on a fix. We realize this may be disruptive to your workflow at this time, so this has a high priority for us. If you need guidance on dismissing the existing alerts or exclusion logic, please let us know and someone from our team will assist here. Thanks |
|
This PR should address the issue #11119 |
This was referenced Nov 4, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description of the false positive
https://github.com/github/codeql/blob/a520de3986987baf4c5f846bd82bf68536ae042c/ruby/ql/src/queries/security/cwe-327/BrokenCryptoAlgorithm.ql
This flags every single use of MD5 as a cryptography problem.
MD5 exists for a reason an it's entirely inappropriate to flag any and every usage of it as a cryptographic usage
It is intended to be a lighter weight, simpler algorithm. Using it at all should not be a flag. there are plenty of legitimate use cases that have nothing to do with security
example:
this sorting algorithm has nothing to do with security and absolutely does not need the heavier implementation of an SHA1 hash
The text was updated successfully, but these errors were encountered: