Use of a broken or risky cryptographic algorithm
Description
The SHA-1 message-digest algorithm has been cryptographically broken and is unsuitable for further use. It is recommended that the SHA-3, or BLAKE2 family of algorithms be used for non-password based cryptographic hashes instead. For password based cryptographic hashes, consider using the bcrypt or Argon2id family of cryptographic hashes.
Examples
Insecure Code
go
import "crypto/sha1"Secure Code
go
import "golang.org/x/crypto/blake2b"Remediation
Replace the use of SHA-1 with a more secure algorithm like BLAKE2 or Argon2id.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0774 |
| Category | Crypto |
| Severity | MEDIUM |
| CWE | CWE-327 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | cryptography, hashing |
| OWASP | A3:2017-Sensitive Data Exposure, A02:2021-Cryptographic Failures |