Odd Security hotspot for python - Weak Cryptography

mmarinova-mm · December 8, 2020, 4:23pm

Hello,

I have a mostly ruby project, with the pymysql (https://github.com/PyMySQL/PyMySQL) library copied into the repository. I am using SonarCloud for scanning.

I am getting the a few security hotspots stating https://rules.sonarsource.com/python/RSPEC-4790 as the issue. They are all about use of sha256 or sha512 in the code. As an example:

Why is the scan alarming about use of sha256 and sha512 when they are both listed in the Recommended Secure Coding Practices?

Is this a false positive or is there something I need to do to remediate this?

Regards,

Colin · December 8, 2020, 4:30pm

Hey there.

Right now, S4790 raised an issue everywhere a hash function is used (even when a secure hash function, like SHA-256, is used).

We know this isn’t ideal and will address this: SONARPY-704

mmarinova-mm · December 8, 2020, 4:54pm

That explains it.
Thank you so much for the quick resolution!

system · December 15, 2020, 4:54pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Weak Cryptography alert in SonarQube for SHA256 SonarQube Server / Community Build javascript , security-hotspot	2	1595	October 26, 2021
Wrong security hotspot detection in Python Flask SonarQube Cloud python , security-hotspot , sonarqube-cloud	4	558	July 22, 2022
Sonarqube scanned a wrong security hotspots SonarQube Server / Community Build javascript , sonarqube	1	1771	November 1, 2021
Need help for Weak Cryptography alert in SonarQube for SHA256 SonarQube Server / Community Build security , security-hotspot	3	1855	January 28, 2021
Issue with Cryptographic hash algorithms SonarQube Server / Community Build typescript , sonarqube , scanner	3	2166	March 31, 2022

Odd Security hotspot for python - Weak Cryptography

Related topics