sonar-cryptography icon indicating copy to clipboard operation
sonar-cryptography copied to clipboard
Published 1 month ago verified publisher icon cbomkit

Crypto detection in comment

Open san-zrl opened this issue 2 months ago • 0 comments

When scanning pkg:maven/com.google.guava/[email protected] we get 12 findings all of which come from Hashing.java. All findings refer to locations at the closing '*/' of javadoc comments. One such example is Hashing.java#L364.

/**
   * Returns a hash function implementing the Message Authentication Code (MAC) algorithm, using the
   * SHA-512 (512 hash bits) hash function and the given secret key.
   *
   * @param key the secret key
   * @throws IllegalArgumentException if the given key is inappropriate for initializing this MAC
   * @since 20.0
   */

Does the SHA-512 string trigger the false positive?

san-zrl avatar Oct 01 '25 14:10 san-zrl