Hello everyone,
since python 3.9, hashlib supports a keyword-argument usedforsecurity
which defaults to True
and can be set to False
to indicate a non-cryptographic use. This is already used by linters to mark e.g. md5
as unsafe if usedforsecurity=False
is not used.
I’m currently using SonarQube Community Version 10.6 and SonarQube will raise a python:S4790
“Make sure that hashing data is safe here.” for this line:
import hashlib
js3 = hashlib.md5(ja3_text.encode("utf-8"), usedforsecurity=False).hexdigest()
I think it would be preferrable for SonarQube to ignore lines with usedforsecurity=False
for this rule.
See also: python - What is the point of usedforsecurity? - Stack Overflow