Import blacklist: crypto/md5 GSC-G501

Detects imports of crypto/md5 since they are considered vulnerable.

Go's official documentation also warns against the usage of MD5

Most common alternative for the insecure algorithm:

• Use SHA512 instead of MD5

Although, we recommend doing some initial research before using any encryption/hashing algorithm to determine which is best for your use case.

Refer to https://en.wikipedia.org/wiki/MD5#Collision_vulnerabilities to understand the vulnerability in detail.

Bad practice

package main

import (
    "crypto/md5"
    "fmt"
    "os"
)
func main() {
    for _, arg := range os.Args {
        fmt.Printf("%x - %s
", md5.Sum([]byte(arg)), arg)
    }
}

References

• OWASP A2:2021
• CWE-327