# Usage of Weak Hashing library (MD5)

## Overview

* **Rule ID**: `java_lang_weak_hash_md5`
* **Applicable Languages**: Java
* **Weakness ID**: CWE-328

## Description

Using a weak hashing algorithm such as MD5 heightens the risk of data breaches. MD5 is susceptible to collision attacks, where different inputs generate the same hash, undermining data integrity and security.

## Remediation Guidelines

* **Do not** use MD5 for hashing purposes. This algorithm is no longer considered secure and can compromise data integrity.

  ```java
  MessageDigest md = MessageDigest.getInstance("MD5"); // unsafe

  ```
* **Do opt** for stronger hashing algorithms like SHA-256 to ensure data security.

  ```java
  MessageDigest md = MessageDigest.getInstance("SHA-256");
  ```

## References

* [**Java MessageDigest class**](https://docs.oracle.com/en/java/javase/20/docs/api/java.base/java/security/MessageDigest.html)
* [**CWE-328: Use of Weak Hashtion**](https://cwe.mitre.org/data/definitions/328.html)
* [**OWASP Top 10: A02:2021 - Cryptographic Failures**](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/)

## Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our [**SAST TOOL**](https://scopy.sec1.io/login)