[java] False positive

[jcrichlake]

Java SHA3 MessageDigest

CodeQL flags code using MessageDigest.getInstance("SHA3-512") as an insecure hash. But the linked CWE documentation as well as the NIST standard attached to the alert both list SHA3 as a valid hashing algorithm. This shouldn't be an issue.

Code samples or links to source code

Link to source

[aibaars]

Thanks for reporting!

I assume the alert was the result of the java/potentially-weak-cryptographic-algorithm query.

That query simply looks for usages of crypto algorithm names that are not in its list of known secure ones. This query has a fairly high false positive rate, and is therefore marked with @precision medium. We should probably add the SHA3 family to the list of known secure ones.

In the mean time you can run the
java/weak-cryptographic-algorithm query instead. This query has higher precision and only reports usages of algorithms that are known to be insecure.

[aibaars]

Should be fixed by #18084