Updated G401 corresponding CWE

The corresponding CWE from G401 rule was changed from CWE-326 -> CWE-328. In my opinion, this CWE suits better the rule.
securego · Jun 24, 2024 · 2e71f37 · 2e71f37
1 parent 3edc633
commit 2e71f37
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/cwe/data.go b/cwe/data.go
@@ -93,6 +93,11 @@ var idWeaknesses = map[string]*Weakness{
 		Description: "The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information.",
 		Name:        "Use of a Broken or Risky Cryptographic Algorithm",
 	},
+	"328": {
+		ID:          "328",
+		Description: "The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack). ",
+		Name:        "Use of Weak Hash",
+	},
 	"338": {
 		ID:          "338",
 		Description: "The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.",

diff --git a/issue/issue.go b/issue/issue.go
@@ -78,7 +78,7 @@ var ruleToCWE = map[string]string{
 	"G304": "22",
 	"G305": "22",
 	"G306": "276",
-	"G401": "326",
+	"G401": "328",
 	"G402": "295",
 	"G403": "310",
 	"G404": "338",