Java: Noisiness of java/weak-cryptographic-algorithm / MD5 detection

[theveriton]

Description of the false positive

This flags every single use of MD5 as a cryptography problem.
MD5 exists for a reason an it's entirely inappropriate to flag any and every usage of it as a cryptographic usage
It is intended to be a lighter weight, simpler algorithm. Using it at all should not be a flag. there are plenty of legitimate use cases that have nothing to do with security

Code samples or links to source code

for example:

Here, we are just using checksum to see if the doc has been modified, not using it for encryption

//computeChecksum will use MD5
String docCheckSum = computeChecksum(text);
if (docCheckSum != previousCheckSum){
docchanged=1;
}

public static String computeChecksum(String s)
{
	if (md == null)
	{
		try
		{
			//This line gets flagged
                       md = MessageDigest.getInstance("MD5");
		}
		catch (NoSuchAlgorithmException e)
		{
			if(log.isDebugEnabled()) e.printStackTrace();
			throw new IllegalStateException(e + " String for MD5: " + s);
		}
	}
	byte[] bytes = s.getBytes();
	return hashData(bytes);
}

[hvitved]

Thank you for this false positive report. Resolving this issue is not a current product priority, but we acknowledge the report and will track it internally for future consideration, or if we observe repeated instances of the same problem.

[theveriton]

Thank you, because this is a "High" vulnerability, we have strict guidelines and can't suppress this.
Also, this is only being detected in java, the same logic in ruby and C# does not get flagged

[hvitved]

CC @github/codeql-java

[jcogs33]

Thanks for the report @theveriton. We have removed MD5 alerts from java/weak-cryptographic-algorithm in #17869.