False positive for Unsafe comparison of hash that are susceptible to timing attack

Reference CWE-203: Information Exposure Through DiscrepancyKey
(https://cwe.mitre.org/data/definitions/203.html)

SonarQube Scanner For Maven Version : 3.7.0.1746

Sonar consider some strings are hash and report an unsafe comparison of hash that are susceptible to timing attack whereas it is some randomly generated strings (uuid) (exemple of code generating the issue.)

//if no share match shareId return exception
if (foundFile.getShares().stream().noneMatch(a -> a.getShareId().equals(shareId))) {
		throw new ShareUnknownException(String.format("Unknown share identifier: %s", shareId));
}

I can’t explain why the shareId string is considered as a hash.
Any idea ?
Regards

Hello @Thierry_Morel,

I’m confused, I not sure what rule you are talking about. You are talking about java right?

Can you provide the name of the rule, eventually the key or the message displayed?

Thanks

Hello Quentin,
thanks for replying. Yes, I’m talking about Java.
the name of the rule seems to be findsecbugs:UNSAFE_HASH_EQUALS
here is a screenshot

Thanks for the follow-up.

I understand better why I didn’t recognize the rule, in fact, it is coming from the findsecbugs plugin.
Since we are not the maintainers of this plugin, I can not help you further. I would suggest reporting this issue directly to them.

Thanks Quentin I’ll do that

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.