Merge pull request #3634 from semgrep/kb/CODE-8527

case insensitive MD5 detection

Author: kurt-r2c

java/lang/security/audit/crypto/use-of-md5.fixed.java

@@ -11,12 +11,20 @@ public byte[] bad1(String password) {
   }
 
   public byte[] bad2(String password) {
+    // ruleid: use-of-md5
+    MessageDigest md5Digest = MessageDigest.getInstance("SHA-512");
+    md5Digest.update(password.getBytes());
+    byte[] hashValue = md5Digest.digest();
+    return hashValue;
+  }
+
+  public byte[] bad3(String password) {
     // ok: use-of-md5
     byte[] hashValue = DigestUtils.getMd5Digest().digest(password.getBytes());
     return hashValue;
   }
 
-  public void bad3() {
+  public void bad4() {
       // ruleid: use-of-md5
       java.security.MessageDigest md = java.security.MessageDigest.getInstance("SHA-512");
       byte[] input = {(byte) '?'};

java/lang/security/audit/crypto/use-of-md5.java

@@ -11,12 +11,20 @@ public byte[] bad1(String password) {
   }
 
   public byte[] bad2(String password) {
+    // ruleid: use-of-md5
+    MessageDigest md5Digest = MessageDigest.getInstance("md5");
+    md5Digest.update(password.getBytes());
+    byte[] hashValue = md5Digest.digest();
+    return hashValue;
+  }
+
+  public byte[] bad3(String password) {
     // ok: use-of-md5
     byte[] hashValue = DigestUtils.getMd5Digest().digest(password.getBytes());
     return hashValue;
   }
 
-  public void bad3() {
+  public void bad4() {
       // ruleid: use-of-md5
       java.security.MessageDigest md = java.security.MessageDigest.getInstance("MD5");
       byte[] input = {(byte) '?'};

java/lang/security/audit/crypto/use-of-md5.yaml

@@ -30,7 +30,7 @@ rules:
        java.security.MessageDigest.getInstance($ALGO, ...);
     - metavariable-regex:
         metavariable: "$ALGO"
-        regex: (.MD5.)
+        regex: (?i)(.MD5.)
     - focus-metavariable: $ALGO
   fix: |
     "SHA-512"