Blocklisted import crypto/sha1: weak cryptographic primitive
5package tool
6
7import (
8 "crypto/sha1" 9 "encoding/base64"
10 "encoding/hex"
11 "fmt"
Description
Detects imports of crypto/sha1
since they are considered vulnerable.
Go's official documentation also warns against the usage of SHA1.
Most common alternative for the insecure algorithm:
- Use SHA512 instead of SHA1
Although, we recommend doing some initial research before using any encryption/hashing algorithm to determine which is best for your use case.
Refer to https://en.wikipedia.org/wiki/SHA-1#Attacks to understand the vulnerability in detail.
Bad practice
package main
import (
"crypto/sha1"
"fmt"
"os"
)
func main() {
for _, arg := range os.Args {
fmt.Printf("%x - %s
", sha1.Sum([]byte(arg)), arg)
}
}