Import of weak hashing library (MD5)

• Rule ID: go_gosec_blocklist_md5
• Languages: go
• Source: md5.yml

Description

Using a weak hashing library like MD5 increases the risk of data breaches. MD5 is vulnerable to collision attacks, where two different inputs produce the same output, compromising data integrity and security.

Remediations

• Do not use MD5 for hashing. It is considered a weak hash algorithm and can compromise data security.
• Do use stronger hashing algorithms such as SHA-3 or BLAKE2 for general hashing purposes, such as file integrity checks or generating unique identifiers.
• Do use recommended algorithms such as bcrypt or Argon2id for password hashing, as these are designed to be slower and therefore more effective against brute-force attacks.

References

• OWASP Password Storage Cheat Sheet

Associated CWE

• CWE-328: Use of Weak Hash

OWASP Top 10

• A02:2021 - Cryptographic Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_gosec_blocklist_md5

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_gosec_blocklist_md5