Version: Developer Edition, Version 8.9.3 (build 48735)
Error: Security Hotspots reporting weak cryptography pointing to the wrong code.
Context:
We have a Typescript file that contains both the following import and the method to hash our string.
import crypto from 'crypto';
...
hash(str: string): string {
const hash = crypto.createHash('sha512');
return hash.update(str).digest('hex');
}
The code proposed by SonarQube to “fix the issue” is the following
const crypto = require("crypto");
const hash = crypto.createHash('sha512'); // Compliant
And the description of the “Recommended Secure Coding Practices” states:
Safer alternatives, such as
SHA-256
,SHA-512
,SHA-3
are recommended, and for password hashing, it’s even better to use algorithms that do not compute too “quickly”, likebcrypt
,scrypt
,argon2
orpbkdf2
because it slows downbrute force attacks
.
Since we are using the proposed algorithm for the hashing:
- Why does SonarQube keep reporting the same error over the same code?
- Why does SonarQube underline the
crypto.createHash
as the target problem?
Photo of the code in our PR:
I’m assuming that the issue here is not the “hash algorithm” provided, but rather the usage of import
instead of require
(as the example displays) since the former is faster (async) than the latter (sync), and the rule seeks for a way to
slows down `brute force attacks
If my assumption is correct:
Why does SonarQube don’t display that the issue is related to the lack of require
?
If my assumption is not correct:
What is there that is not compliant with this rule?
Edit: spelling