fix: go sha rule description (#253)

Bearer · Feb 12, 2024 · 675aca2 · 675aca2
1 parent 2360ae7
commit 675aca2
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/rules/go/gosec/blocklist/sha1.yml b/rules/go/gosec/blocklist/sha1.yml
@@ -8,7 +8,7 @@ patterns:
 languages:
   - go
 metadata:
-  description: "Import of weak hashing library (MD5)"
+  description: "Import of weak hashing library (SHA-1)"
   remediation_message: |
     ## Description
 

diff --git a/tests/go/gosec/blocklist/sha1/__snapshots__/test.js.snap b/tests/go/gosec/blocklist/sha1/__snapshots__/test.js.snap
@@ -8,7 +8,7 @@ exports[`go_gosec_blocklist_sha1 test 1`] = `
         "328"
       ],
       "id": "go_gosec_blocklist_sha1",
-      "title": "Import of weak hashing library (MD5)",
+      "title": "Import of weak hashing library (SHA-1)",
       "description": "## Description\\n\\nThe SHA-1 hashing algorithm is no longer considered secure against well-funded attackers. It is vulnerable to collision attacks, which means it's possible to generate two different inputs that result in the same SHA-1 hash, undermining the hash's uniqueness and security. Due to these vulnerabilities, it is advised to discontinue using SHA-1 for cryptographic security.\\n\\n## Remediation\\n\\nWhen choosing a hashing algorithm for cryptographic purposes, it's important to select one that is resistant to collisions and other attack vectors. SHA-3 and BLAKE2 are both excellent choices for non-password-based hashing requirements due to their strong cryptographic properties.\\n\\n✅ For General Hashing Needs, Use SHA-3 or BLAKE2\\n\\nChoose SHA-3 or BLAKE2 for their resistance to known hash attack vectors, ensuring the integrity and uniqueness of your data fingerprints.\\n\\n✅ For Password Hashing, Prefer bcrypt or Argon2id\\n\\nFor password hashing specifically, bcrypt or Argon2id are recommended. These algorithms are designed to be computationally intensive, which helps protect against brute-force attacks.\\n\\n❌ Discontinue Using SHA-1 for Security Purposes\\n\\nGiven its vulnerabilities, avoid using SHA-1 in any security context to prevent potential collision attacks.\\n\\nThe code snippet provided is unrelated to the hashing algorithms and seems to be a continuation of the previous examples for encryption with AES-256. Ensure your hashing and encryption strategies are correctly implemented as per their intended use-cases.\\n\\n## Resources\\n\\n- [OWASP Cryptographic Storage Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html)\\n- [NIST Policy on Hash Functions](https://csrc.nist.gov/projects/hash-functions)\\n",
       "documentation_url": "https://docs.bearer.com/reference/rules/go_gosec_blocklist_sha1",
       "line_number": 4,