Weak Cryptography alert in SonarQube for SHA256

Template for a good bug report, formatted with Markdown:

  • versions used : SonarQube Community Edition Version 8.9.1 (build 44547)

  • error observed : We have analyzed our JS code in SonarQube. After analysis, sonarqube is flagging for medium hotspot alert for new SHA256(secret)). Not sure why we are getting alert for this.

export const cryptography = { hash: (text: string) => { const hash = createHash('sha256'); hash.update(text); return hash.digest('hex'); },

  • potential workaround
    I see a GitHub issue present for this and its closed now
    It mentions that it has been fixed in newer version of SonarQube. We are using the latest LTS 8.9.1, not sure why we are getting this flagged.

@eric.therond I did see another post you have replied earlier. Could you please help.


Welcome to the community!

Please don’t invoke (@) people who aren’t already involved in your thread.

Regarding your question:

Did you read the accompanying documentation in the interface?