Must-share information (formatted with Markdown):
- which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
- what are you trying to achieve
- what have you tried so far to achieve this
Hi to everyone,
We are using SonarQube 8.9 LTS on OpenShift. It is working as expected.
For demonstration purposes, i wanted to create a vulnerable project and planting intentional vulnerabilities. I chose the vulnerabilities based on Quality Profiles (Java), which has 466 rules in which 41 are tagged as vulnerability. I selected weak hash algorithm rule from OWASP top 10 list. I attached the code where i place the piece of code. Nevertheless, SonarQube complains about everything but not the usage of MD5!! why?
These are the complaints from SonarQube :
-
Replace the synchronized class “StringBuffer” by an unsynchronized one such as “StringBuilder”.Why is this an issue?
-
Use String.format( “%02X”, …) instead.Why is this an issue?
-
Replace this use of System.out or System.err by a logger.Why is this an issue?
There is no alert, code smells, bug, vulnerability associated with the MD5 algorithm!!?
Why?
Thanks in advance for your assistance