test(java): add regression test for MD5 detection in JCA MessageDigest#393
Conversation
Signed-off-by: Sachin Kumar <sachinkumar905846@gmail.com>
There was a problem hiding this comment.
Pull request overview
Adds a Java regression test to lock in existing MD5 detection behavior for java.security.MessageDigest#getInstance(...) in the Sonar Cryptography Plugin’s JCA digest matcher, improving coverage without changing detection logic.
Changes:
- Added a new test fixture exercising
MessageDigest.getInstance("MD5")with an expected “Noncompliant” issue. - Added a new JUnit test validating the detection store value (
Algorithm=MD5) and the translated node details (digest, digest size 128, block size 512).
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| java/src/test/java/com/ibm/plugin/rules/detection/jca/digest/JcaMessageDigestGetInstanceMd5Test.java | New JUnit regression test asserting MD5 detection and translated node properties. |
| java/src/test/files/rules/detection/jca/digest/JcaMessageDigestGetInstanceMd5TestFile.java | New fixture file containing MessageDigest.getInstance("MD5") annotated with the expected Noncompliant message. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Hi @san-zrl I have opened this for adding regressions test for MD5 detection.. Can u take a look on this ?? |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
n1ckl0sk0rtge
left a comment
There was a problem hiding this comment.
LGTM! Thanks @sachin9058 :)
MD5 detection is already supported by the JCA MessageDigest matcher but was not covered by tests.
This PR adds a regression test to ensure MD5 detection remains stable and to prevent accidental regressions in future changes.
Changes
Added test fixture:
java/src/test/files/rules/detection/jca/digest/JcaMessageDigestGetInstanceMd5TestFile.java
Added regression test:
java/src/test/java/com/ibm/plugin/rules/detection/jca/digest/JcaMessageDigestGetInstanceMd5Test.java
Verified detection output:
Validation
Ran targeted test:
mvn -pl java -am -Dtest=JcaMessageDigestGetInstanceMd5Test test
Built plugin successfully:
mvn clean install
Verified runtime behavior via SonarQube scan (CBOM generation)
Notes
Happy to extend coverage to additional algorithms (e.g., SHA-1, SHA-512) if needed.