S4790 support usedforsecurity=False in python

Hello everyone,

since python 3.9, hashlib supports a keyword-argument usedforsecurity which defaults to True and can be set to False to indicate a non-cryptographic use. This is already used by linters to mark e.g. md5 as unsafe if usedforsecurity=False is not used.

I’m currently using SonarQube Community Version 10.6 and SonarQube will raise a python:S4790 “Make sure that hashing data is safe here.” for this line:

import hashlib

js3 = hashlib.md5(ja3_text.encode("utf-8"), usedforsecurity=False).hexdigest()

I think it would be preferrable for SonarQube to ignore lines with usedforsecurity=False for this rule.

See also: python - What is the point of usedforsecurity? - Stack Overflow

Hi @patrickrauscher,

Thank you for reaching out, and thank you for reporting such an issue.
You are right, we should not raise an issue when the parameter is set to false. I have created this ticket to track our progress on this false positive.

Thank you again!

Cheers,
David