Detection location off - Findings reported below the actual place #339
Description
When scanning pkg:maven/com.google.guava/guava@33.0.0-jre we get 12 findings all of which come from Hashing.java. All findings refer to locations at the closing '*/' of javadoc comments. One such example is Hashing.java#L316.
The detection comes from the method BEFORE the comment, not from the javadoc comment itself.
/**
* Returns a hash function implementing the Message Authentication Code (MAC) algorithm, using the
* MD5 (128 hash bits) hash function and a {@link SecretKeySpec} created from the given byte array
* and the MD5 algorithm.
*
* @param key the key material of the secret key
* @since 20.0
*/
public static HashFunction hmacMd5(byte[] key) {
return hmacMd5(new SecretKeySpec(checkNotNull(key), "HmacMD5"));
}
/**
* Returns a hash function implementing the Message Authentication Code (MAC) algorithm, using the
* SHA-512 (512 hash bits) hash function and the given secret key.
*
* @param key the secret key
* @throws IllegalArgumentException if the given key is inappropriate for initializing this MAC
* @since 20.0
-----> DETECTED HERE <------ */
public static HashFunction hmacSha512(Key key) {
return new MacHashFunction("HmacSHA512", key, hmacToString("hmacSha512", key));
}The finding correctly identifies the use of an MD5 algorithm.
Here is the corresponding CBOM component:
{
"name": "MD5",
"type": "cryptographic-asset",
"bom-ref": "d703a471-b0ac-43ea-b167-3db2f4860f46",
"evidence": {
"occurrences": [
{
"line": 316,
"offset": 23,
"location": "guava/src/com/google/common/hash/Hashing.java",
"additionalContext": "javax.crypto.spec.SecretKeySpec#<init>([BLjava/lang/String;)V"
}
]
},
"cryptoProperties": {
"assetType": "algorithm",
"algorithmProperties": {
"primitive": "hash",
"cryptoFunctions": [
"digest"
],
"parameterSetIdentifier": "128"
}
}
},Metadata
Metadata
Assignees
Labels
No labels
Type
Projects
Status