Use of MD5 as MessageDigest

[akwick]

I am reaching out to you as we conducted an empirical study to understand the nature of cryptographic misuses in enterprise-driven projects on GitHub. During our study, we randomly inspected a few of the misuses. One of the misuses for which we could confirm the finding of the analysis, CogniCryptSAST, is one in your project:

io.github.lukehutch.fastclasspathscanner.utils.HashClassfileContents$1 uses MD5 as a parameter to java.security.MessageDigest. By now, it is possible to have collisions with MD5 and are not considered secure any longer. Therefore, one should not use MD5 anymore in a security context like password storage, token generation, or computation integrity. This misuse is also considered problematic by industry tools like SonarSource. If you are interested in the details of the misuses we identified within your project, I attached all crypto misuses reported for your project.

We hope that this information helps you and to hear back from you.