Linter: gosec, Rule: G505 - Import blocklist: crypto/sha1. Should we enable it?

[zak-pawel]

Use Case

This issue starts discussion about enabling:

• linter: gosec - Inspects source code for security problems by scanning the Go AST.
• rule: G505 - Import blocklist: crypto/sha1

Rule is mapped to CWE-327: Use of a Broken or Risky Cryptographic Algorithm.

Expected behavior

Decision if rule should be enabled or not.

Actual behavior

For this rule following findings were found in current code:

plugins/inputs/webhooks/artifactory/artifactory_webhook.go:5:2  gosec  G505: Blocklisted import crypto/sha1: weak cryptographic primitive
plugins/inputs/webhooks/github/github_webhooks.go:5:2           gosec  G505: Blocklisted import crypto/sha1: weak cryptographic primitive

Additional info

For this rule no additional configuration can be provided.

[powersj]

+1

[srebhan]

So what do we do with the locations requiring SHA1 due to the queried endpoint? +1 if the idea is to consciously silence those.