Skip to content

Add cryptographic vulnerability for AI resolution demo

Samantha Mingrequested to merge
add-crypto-vulnerability into main

This MR introduces a single file (crypto-weakness.js) containing a cryptographic vulnerability that demonstrates:

Vulnerability Details

  • Type: Weak Cryptographic Algorithm (CWE-327)
  • Issue: Using MD5 for password hashing instead of secure alternatives
  • Location: hashPassword() method in crypto-weakness.js
  • Severity: High (MD5 is cryptographically broken and vulnerable to rainbow table attacks)

AI Resolution Opportunity

This vulnerability is ideal for AI-assisted resolution because:

  1. Clear fix: Replace MD5 with bcrypt, scrypt, or Argon2
  2. Well-documented: Standard security practice with clear implementation patterns
  3. Single method: Isolated change that doesn't affect other code
  4. Testable: Easy to verify the fix works correctly

Expected SAST Detection

SAST tools should flag this as:

  • Weak cryptographic algorithm usage
  • Insecure password hashing
  • Use of deprecated/broken hash function

This provides a perfect scenario for demonstrating AI-powered vulnerability resolution capabilities.

Merge request reports