mcp-server-semgrep/semgrep-rules/java/lang/security/audit/crypto/ssl/avoid-implementing-custom-digests.yaml

MCP Server for Semgrep Integration - static code analysis with AI

rules:
- id: avoid-implementing-custom-digests
  metadata:
    cwe:
    - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm'
    owasp:
    - A03:2017 - Sensitive Data Exposure
    - A02:2021 - Cryptographic Failures
    source-rule-url: https://find-sec-bugs.github.io/bugs.htm#CUSTOM_MESSAGE_DIGEST
    asvs:
      section: V6 Stored Cryptography Verification Requirements
      control_id: 6.2.2 Insecure Custom Algorithm
      control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms
      version: '4'
    references:
    - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#custom-algorithms
    category: security
    technology:
    - java
    subcategory:
    - audit
    likelihood: LOW
    impact: LOW
    confidence: LOW
  message: >-
    Cryptographic algorithms are notoriously difficult to get right. By implementing
    a custom message digest, you risk introducing security issues into your program.
    Use one of the many sound message digests already available to you:
    MessageDigest sha256Digest = MessageDigest.getInstance("SHA256");
  severity: WARNING
  languages: [java]
  pattern: |-
    class $CLASS extends MessageDigest {
      ...
    }