[fix][sec] Dismiss warning about MD5 since it's sufficient for these …

…use cases (#22282)
apache · Mar 15, 2024 · 442595e · 442595e
1 parent 999e39b
commit 442595e
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 1 deletion.
diff --git a/...-messagecrypto-bc/src/main/java/org/apache/pulsar/client/impl/crypto/MessageCryptoBc.java b/...-messagecrypto-bc/src/main/java/org/apache/pulsar/client/impl/crypto/MessageCryptoBc.java
@@ -148,7 +148,7 @@ public SecretKey load(ByteBuffer key) {
             cipher = Cipher.getInstance(AESGCM, BouncyCastleProvider.PROVIDER_NAME);
             // If keygen is not needed(e.g: consumer), data key will be decrypted from the message
             if (!keyGenNeeded) {
-
+                // codeql[java/weak-cryptographic-algorithm] - md5 is sufficient for this use case
                 digest = MessageDigest.getInstance("MD5");
 
                 dataKey = null;

diff --git a/pulsar-common/src/main/java/org/apache/pulsar/common/nar/NarUnpacker.java b/pulsar-common/src/main/java/org/apache/pulsar/common/nar/NarUnpacker.java
@@ -168,6 +168,7 @@ private static void makeFile(final InputStream inputStream, final File file) thr
      */
     private static byte[] calculateMd5sum(final File file) throws IOException {
         try (final FileInputStream inputStream = new FileInputStream(file)) {
+            // codeql[java/weak-cryptographic-algorithm] - md5 is sufficient for this use case
             final MessageDigest md5 = MessageDigest.getInstance("md5");
 
             final byte[] buffer = new byte[1024];