Usage of weak hashing library (SHA-1)

Overview

Rule ID: javascript_lang_weak_hash_sha1
Applicable Languages: Javascript
Weakness ID: CWE-328

Description

Using a weak hashing library such as SHA-1 heightens the risk of data breaches. SHA-1 is especially prone to collision attacks, where distinct inputs can generate the same hash value, thereby compromising data integrity and security.

Remediation Guidelines

Do not use SHA-1 for hashing. It's no longer considered secure against well-funded attackers.
```
const hash = crypto.createHmac("sha1", key).update(user.password); // unsafe
```
Do use stronger hashing algorithms like SHA-256 or SHA-3 for enhanced security.
```
const hash = crypto.createHmac("sha256", key).update(user.password);
```

References

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL

PreviousUsage of weak hashing library on a password (SHA-1)NextSBOM Scanner

Last updated 3 months ago