(pulsar) branch master updated: [fix][sec] Dismiss warning about MD5 since it's sufficient for these use cases (#22282)

Fri, 15 Mar 2024 12:44:16 -0700 

This is an automated email from the ASF dual-hosted git repository.

lhotari pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar.git


The following commit(s) were added to refs/heads/master by this push:
     new 442595ea26c [fix][sec] Dismiss warning about MD5 since it's sufficient 
for these use cases (#22282)
442595ea26c is described below

commit 442595ea26c8c0699807a0fef2b7e2e27c677c08
Author: Lari Hotari <[email protected]>
AuthorDate: Fri Mar 15 12:43:37 2024 -0700

    [fix][sec] Dismiss warning about MD5 since it's sufficient for these use 
cases (#22282)
---
 .../main/java/org/apache/pulsar/client/impl/crypto/MessageCryptoBc.java | 2 +-
 .../src/main/java/org/apache/pulsar/common/nar/NarUnpacker.java         | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git 
a/pulsar-client-messagecrypto-bc/src/main/java/org/apache/pulsar/client/impl/crypto/MessageCryptoBc.java
 
b/pulsar-client-messagecrypto-bc/src/main/java/org/apache/pulsar/client/impl/crypto/MessageCryptoBc.java
index cbb704de138..f31fb1aa8b0 100644
--- 
a/pulsar-client-messagecrypto-bc/src/main/java/org/apache/pulsar/client/impl/crypto/MessageCryptoBc.java
+++ 
b/pulsar-client-messagecrypto-bc/src/main/java/org/apache/pulsar/client/impl/crypto/MessageCryptoBc.java
@@ -148,7 +148,7 @@ public class MessageCryptoBc implements 
MessageCrypto<MessageMetadata, MessageMe
             cipher = Cipher.getInstance(AESGCM, 
BouncyCastleProvider.PROVIDER_NAME);
             // If keygen is not needed(e.g: consumer), data key will be 
decrypted from the message
             if (!keyGenNeeded) {
-
+                // codeql[java/weak-cryptographic-algorithm] - md5 is 
sufficient for this use case
                 digest = MessageDigest.getInstance("MD5");
 
                 dataKey = null;
diff --git 
a/pulsar-common/src/main/java/org/apache/pulsar/common/nar/NarUnpacker.java 
b/pulsar-common/src/main/java/org/apache/pulsar/common/nar/NarUnpacker.java
index 1e34c3e4fe7..e1806836d28 100644
--- a/pulsar-common/src/main/java/org/apache/pulsar/common/nar/NarUnpacker.java
+++ b/pulsar-common/src/main/java/org/apache/pulsar/common/nar/NarUnpacker.java
@@ -168,6 +168,7 @@ public class NarUnpacker {
      */
     private static byte[] calculateMd5sum(final File file) throws IOException {
         try (final FileInputStream inputStream = new FileInputStream(file)) {
+            // codeql[java/weak-cryptographic-algorithm] - md5 is sufficient 
for this use case
             final MessageDigest md5 = MessageDigest.getInstance("md5");
 
             final byte[] buffer = new byte[1024];

Reply via email to