Hello,
I have a quick question about the fact that when using the md5 method, we get the following Security Hotspots: Make sure this weak hash algorithm is not used in a sensitive context here
In my case, I use md5 to obtain a key for managing my Redis cache and to avoid having a key with plain text information in the name, even if this information is not restrictive from a business perspective.
Here is the piece of code I am currently using, which returns a security error in Sonar:
$key = sprintf(‘%d-%s-%s’, $variant->getId(), $startDate->format(‘Y-m-d’), $endDate->format(‘Y-m-d’));
And here are the different outputs:
- Without hash: 76543367-2025-12-12-2025-12-16
- With md5: 504b89461e5918d51ff07ba35af329f4
- With SHA256 (recommended by Sonar): a589d09f2a5dcd5af180e619e76bed71d3ec8d1dc3277ae8c1cb0ae29084082d4d58511df452cec486e181ec962638e921514c92a35445a 1f2730e379b4c5893
There is a risk of collision with MD5, but it is very minimal in my case.
I would like to know if there is a way (other than in SonarCloud) to say, “Okay, I know this isn’t the right way, but mark the following line as valid.” A bit like PHPStan and PSLAM, which allow you to ignore the line following a certain comment.
Thank you in advance.
