FP on javascript:S4790 (Make sure that hashing data is safe here), can't infer real value of input param for createHash()

  • Community Edition
  • Version 9.1 (build 47736)

Given code:

const ALG_HASH = "sha3-512";

const hash = crypto.createHash(ALG_HASH).update(data, ENCODING_IN).digest(ENCODING_OUT);

SonarQube raises an FP “Make sure that hashing data is safe here.”, since it can’t infer the real value of the input param ALG_HASH of crypto.createHash().

SQ assumes that ALG_HASH is a name of a hash-algo instead of just being a plain string variable, holding the real name of the desired hash algo.