Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cryptographic misuse rules #6

Closed
firmianay opened this issue Aug 8, 2022 · 2 comments
Closed

cryptographic misuse rules #6

firmianay opened this issue Aug 8, 2022 · 2 comments

Comments

@firmianay
Copy link

Is it possible to add a check item for misuse of cryptography, such as MD5, which has been regarded as insecure, the check method may be an insecure-api-MD5_Init.yaml

@0xdea
Copy link
Owner

0xdea commented Aug 8, 2022

It's certainly possible to check for potentially insecure code patterns related to cryptographic functions. In fact, here's a simple example: https://github.com/0xdea/semgrep-rules/blob/main/generic/bad-words.yaml#L49

That said, I haven't included specific rules for C/C++ as these languages do not have built-in cryptographic libraries. I'll leave the issue open and perhaps I'll add some specific rules for OpenSSL (e.g., https://linux.die.net/man/3/md5_init) in the future.

Thank you for the suggestion!

@firmianay
Copy link
Author

Thanks for the explanation, looking forward to more rule updates~

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants