Given code:
const ALG_HASH = "sha3-512";
const hash = crypto.createHash(ALG_HASH).update(data, ENCODING_IN).digest(ENCODING_OUT);
SonarQube raises an FP “Make sure that hashing data is safe here.”, since it can’t infer the real value of the input param ALG_HASH of crypto.createHash().
SQ assumes that ALG_HASH is a name of a hash-algo instead of just being a plain string variable, holding the real name of the desired hash algo.
Hello Mike,
Thank you for the feedback.
The false-positive is indeed raised but not for the reason you are mentioning. You would still get the same false-positive if you inline the string variable. What’s happening here is an inconsistency between the rule description and its implementation. The scope of the rule was changed some time ago, but we haven’t had the opportunity to update the implementation accordingly yet.
You can keep posted with the progress of the implementation update by tracking this ticket.
Hope this helps,
Yassin
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.