cryptographic misuse rules
firmianay opened this issue · 2 comments
Is it possible to add a check item for misuse of cryptography, such as MD5, which has been regarded as insecure, the check method may be an insecure-api-MD5_Init.yaml
It's certainly possible to check for potentially insecure code patterns related to cryptographic functions. In fact, here's a simple example: https://github.com/0xdea/semgrep-rules/blob/main/generic/bad-words.yaml#L49
That said, I haven't included specific rules for C/C++ as these languages do not have built-in cryptographic libraries. I'll leave the issue open and perhaps I'll add some specific rules for OpenSSL (e.g., https://linux.die.net/man/3/md5_init) in the future.
Thank you for the suggestion!
Thanks for the explanation, looking forward to more rule updates~