Use of weak or non-cryptographic hash algorithm in security context

Description

Use of weak or non-cryptographic hash algorithm detected in security-sensitive function '$FN_NAME'. MD2, MD4, MD5, SHA0, SHA1, RIPEMD-128, GOST R 34.11-94, Tiger, and non-cryptographic checksums (CRC, FNV, Adler32) should not be used for security purposes. Use SHA-256, SHA-384, SHA-512, or SHA-3 family instead.

Rationale

Use of weak or non-cryptographic hash algorithm detected in security-sensitive function '$FN_NAME'. MD2, MD4, MD5, SHA0, SHA1, RIPEMD-128, GOST R 34.11-94, Tiger, and non-cryptographic checksums (CRC, FNV, Adler32) should not be used for security purposes. Use SHA-256, SHA-384, SHA-512, or SHA-3 family instead.

The following code illustrates a vulnerable pattern detected by this rule:

fn hash_password_md2() {
    // VULNERABLE: Use of weak or non-cryptographic hash algorithm in security context
    let mut hasher = md2::Md2::new();
    hasher.update(b"hello");
    let result = hasher.finalize();
}

Remediation

Follow secure coding practices and review the references below for detailed remediation guidance.

Configuration

This detector does not need any configuration.

References

CWE-328
OWASP Top 10 2021 - A02 : Cryptographic Failures.
https://github.com/RustCrypto/hashes
https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html