Recipe Name:
Data Protection: Secure Data Storage: Avoid Data Exposure: Hash passwords using strong hashing algorithms
Description:
Could lead to data exposure
Level:
error
Language:
  • java
Tags:
  • Spring
  • security
  • framework specific
  • Spring Security
Documentation

Passwords should be hashed using strong algorithms, such as the BCryptPasswordEncoder.

Before
PasswordEncoder passwordEncoder = new ShaPasswordEncoder();
After
PasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
Resources
Recipe
id: scw:spring:security:hash-passwords
version: 10
metadata:
  name: 'Data Protection: Secure Data Storage: Avoid Data Exposure: Hash passwords using strong hashing algorithms'
  shortDescription: Could lead to data exposure
  level: error
  language: java
  newCodeOnly: false
  scwCategory: broken_cryptography:use_of_insecuredeprecated_alogirthms
  enabled: true
  descriptionFile: descriptions/DataProtectionSecureDataStorageAvoidDataExposureHashpasswordsusingstronghashingalgorithms.html
  tags: Spring;security;framework specific;Spring Security
search:
  instanceCreation:
    not:
      anyOf:
      - in:
          assignment:
            variableType:
              reference:
                matches: (.*ShaPasswordEncoder|Md.PasswordEncoder|MessageDigestPasswordEncoder|StandardPasswordEncoder|PlaintextPasswordEncoder)
              checkInheritance: false
    type:
      reference:
        matches: (.*ShaPasswordEncoder|Md.PasswordEncoder|MessageDigestPasswordEncoder|StandardPasswordEncoder|PlaintextPasswordEncoder)
      checkInheritance: false
availableFixes:
- name: Use BCryptPasswordEncoder
  actions:
  - rewrite:
      to: new org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder()