Import blacklist: crypto/sha1 GSC-G505

Detects imports of crypto/sha1 since they are considered vulnerable.

Go's official documentation also warns against the usage of SHA1.

Most common alternative for the insecure algorithm:

• Use SHA512 instead of SHA1

Although, we recommend doing some initial research before using any encryption/hashing algorithm to determine which is best for your use case.

Refer to https://en.wikipedia.org/wiki/SHA-1#Attacks to understand the vulnerability in detail.

Bad practice

package main

import (
    "crypto/sha1"
    "fmt"
    "os"
)

func main() {
    for _, arg := range os.Args {
        fmt.Printf("%x - %s
", sha1.Sum([]byte(arg)), arg)
    }
}

References

• OWASP A2:2021
• CWE-327