When scanning pkg:maven/com.google.guava/guava@33.0.0-jre we get 12 findings all of which come from Hashing.java. All findings refer to locations at the closing '*/' of javadoc comments. One such example is Hashing.java#L316.
The detection comes from the method BEFORE the comment, not from the javadoc comment itself.
/**
* Returns a hash function implementing the Message Authentication Code (MAC) algorithm, using the
* MD5 (128 hash bits) hash function and a {@link SecretKeySpec} created from the given byte array
* and the MD5 algorithm.
*
* @param key the key material of the secret key
* @since 20.0
*/
public static HashFunction hmacMd5(byte[] key) {
return hmacMd5(new SecretKeySpec(checkNotNull(key), "HmacMD5"));
}
/**
* Returns a hash function implementing the Message Authentication Code (MAC) algorithm, using the
* SHA-512 (512 hash bits) hash function and the given secret key.
*
* @param key the secret key
* @throws IllegalArgumentException if the given key is inappropriate for initializing this MAC
* @since 20.0
-----> DETECTED HERE <------ */
public static HashFunction hmacSha512(Key key) {
return new MacHashFunction("HmacSHA512", key, hmacToString("hmacSha512", key));
}The finding correctly identifies the use of an MD5 algorithm.
Here is the corresponding CBOM component:
{
"name": "MD5",
"type": "cryptographic-asset",
"bom-ref": "d703a471-b0ac-43ea-b167-3db2f4860f46",
"evidence": {
"occurrences": [
{
"line": 316,
"offset": 23,
"location": "guava/src/com/google/common/hash/Hashing.java",
"additionalContext": "javax.crypto.spec.SecretKeySpec#<init>([BLjava/lang/String;)V"
}
]
},
"cryptoProperties": {
"assetType": "algorithm",
"algorithmProperties": {
"primitive": "hash",
"cryptoFunctions": [
"digest"
],
"parameterSetIdentifier": "128"
}
}
},
When scanning
pkg:maven/com.google.guava/guava@33.0.0-jrewe get 12 findings all of which come from Hashing.java. All findings refer to locations at the closing '*/' of javadoc comments. One such example is Hashing.java#L316.The detection comes from the method BEFORE the comment, not from the javadoc comment itself.
The finding correctly identifies the use of an MD5 algorithm.
Here is the corresponding CBOM component:
{ "name": "MD5", "type": "cryptographic-asset", "bom-ref": "d703a471-b0ac-43ea-b167-3db2f4860f46", "evidence": { "occurrences": [ { "line": 316, "offset": 23, "location": "guava/src/com/google/common/hash/Hashing.java", "additionalContext": "javax.crypto.spec.SecretKeySpec#<init>([BLjava/lang/String;)V" } ] }, "cryptoProperties": { "assetType": "algorithm", "algorithmProperties": { "primitive": "hash", "cryptoFunctions": [ "digest" ], "parameterSetIdentifier": "128" } } },