Usage of custom Digest class

• Rule ID: java_lang_custom_message_digest_class
• Languages: java
• Source: custom_message_digest_class.yml

Description

Creating your own Digest class is not recommended because manually implement cryptographic functions is a highly error-prone process. It's safer and more secure to rely on standard Digest algorithms like SHA-256 or SHA-512.

Remediations

• Do not implement a custom Digest class manually. Custom implementations can lead to security vulnerabilities due to incorrect handling or flawed algorithms.
• Do use established Digest algorithms such as SHA-256, SHA-384, SHA-512, or SHA-512/256. These standard algorithms have been thoroughly tested and are widely trusted for their security.

References

• Java MessageDigest class

Associated CWE

• CWE-327: Use of a Broken or Risky Cryptographic Algorithm

OWASP Top 10

• A02:2021 - Cryptographic Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_custom_message_digest_class

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_custom_message_digest_class