[secure] Move from md5 to sha-512 to clear codeql vulnerability alert

hazendaz · Dec 19, 2023 · 46a8785 · 46a8785
1 parent 48e2305
commit 46a8785
Show file tree

Hide file tree

Showing 10 changed files with 20 additions and 20 deletions.
diff --git a/src/main/java/org/eluder/coveralls/maven/plugin/source/AbstractSourceLoader.java b/src/main/java/org/eluder/coveralls/maven/plugin/source/AbstractSourceLoader.java
@@ -25,7 +25,7 @@
 
 import org.codehaus.plexus.util.IOUtil;
 import org.eluder.coveralls.maven.plugin.domain.Source;
-import org.eluder.coveralls.maven.plugin.util.Md5DigestInputStream;
+import org.eluder.coveralls.maven.plugin.util.Sha521DigestInputStream;
 
 import java.io.IOException;
 import java.io.InputStream;
@@ -48,12 +48,12 @@ public AbstractSourceLoader(final URI base, final URI sourceBase, final String s
     public Source load(final String sourceFile) throws IOException {
         InputStream stream = locate(sourceFile);
         if (stream != null) {
-            try (Md5DigestInputStream ds = new Md5DigestInputStream(stream);
+            try (Sha521DigestInputStream ds = new Sha521DigestInputStream(stream);
                     InputStreamReader reader = new InputStreamReader(ds, getSourceEncoding())) {
                 String source = IOUtil.toString(reader);
                 return new Source(getFileName(sourceFile), source, ds.getDigestHex());
             } catch (NoSuchAlgorithmException ex) {
-                throw new IOException("MD5 algorithm not available", ex);
+                throw new IOException("Sha-512 algorithm not available", ex);
             }
         } else {
             return null;

diff --git a/...ven/plugin/util/Md5DigestInputStream.java → .../plugin/util/Sha521DigestInputStream.java b/...ven/plugin/util/Md5DigestInputStream.java → .../plugin/util/Sha521DigestInputStream.java
@@ -29,10 +29,10 @@
 import java.security.NoSuchAlgorithmException;
 import org.apache.commons.codec.binary.Hex;
 
-public class Md5DigestInputStream extends DigestInputStream {
+public class Sha521DigestInputStream extends DigestInputStream {
 
-    public Md5DigestInputStream(final InputStream stream) throws NoSuchAlgorithmException {
-        super(stream, MessageDigest.getInstance("MD5"));
+    public Sha521DigestInputStream(final InputStream stream) throws NoSuchAlgorithmException {
+        super(stream, MessageDigest.getInstance("SHA-512"));
     }
 
     public String getDigestHex() {

diff --git a/src/test/java/org/eluder/coveralls/maven/plugin/CoverallsReportMojoTest.java b/src/test/java/org/eluder/coveralls/maven/plugin/CoverallsReportMojoTest.java
@@ -114,7 +114,7 @@ public void init() throws Exception {
             public Source answer(final InvocationOnMock invocation) throws Throwable {
                 String sourceFile = invocation.getArguments()[0].toString();
                 String content = readFileContent(sourceFile);
-                return new Source(sourceFile, content, TestIoUtil.getMd5DigestHex(content));
+                return new Source(sourceFile, content, TestIoUtil.getSha512DigestHex(content));
             }
         });
         when(logMock.isInfoEnabled()).thenReturn(true);

diff --git a/src/test/java/org/eluder/coveralls/maven/plugin/parser/AbstractCoverageParserTest.java b/src/test/java/org/eluder/coveralls/maven/plugin/parser/AbstractCoverageParserTest.java
@@ -80,7 +80,7 @@ protected Answer<Source> sourceAnswer(final String name, final String content) {
         return new Answer<Source>() {
             @Override
             public Source answer(final InvocationOnMock invocation) throws Throwable {
-                return new Source(name, content, TestIoUtil.getMd5DigestHex(content));
+                return new Source(name, content, TestIoUtil.getSha512DigestHex(content));
             }
         };
     }

diff --git a/src/test/java/org/eluder/coveralls/maven/plugin/source/DirectorySourceLoaderTest.java b/src/test/java/org/eluder/coveralls/maven/plugin/source/DirectorySourceLoaderTest.java
@@ -69,7 +69,7 @@ public void testLoadSource() throws Exception {
         DirectorySourceLoader sourceLoader = new DirectorySourceLoader(folder.getRoot(), folder.getRoot(), "UTF-8");
         Source source = sourceLoader.load(file.getName());
         assertEquals(file.getName(), source.getName());
-        assertEquals("2AC359C9A152FD7CD79C4EB147069224", source.getDigest());
+        assertEquals("27F0B29785725F4946DBD05F7963E507B8DB735C2803BBB80C93ECB02291B2E2F9B03CBF27526DB68B6A862F1C6541275CD413A1CCD3E07209B9CAE0C04163C6", source.getDigest());
         assertEquals(4, source.getCoverage().length);
     }
 }
diff --git a/src/test/java/org/eluder/coveralls/maven/plugin/source/ScanSourceLoaderTest.java b/src/test/java/org/eluder/coveralls/maven/plugin/source/ScanSourceLoaderTest.java
@@ -72,11 +72,11 @@ public void testLoadSource() throws Exception {
         ScanSourceLoader sourceLoader = new ScanSourceLoader(folder.getRoot(), folder.getRoot(), "UTF-8");
         Source sourceA = sourceLoader.load(fileA.getName());
         assertEquals("level1" + File.separator + "level2" + File.separator + "level3" + File.separator + "AFile.java", sourceA.getName());
-        assertEquals("2AC359C9A152FD7CD79C4EB147069224", sourceA.getDigest());
+        assertEquals("27F0B29785725F4946DBD05F7963E507B8DB735C2803BBB80C93ECB02291B2E2F9B03CBF27526DB68B6A862F1C6541275CD413A1CCD3E07209B9CAE0C04163C6", sourceA.getDigest());
         assertEquals(4, sourceA.getCoverage().length);
         Source sourceB = sourceLoader.load(fileB.getName());
         assertEquals("level1" + File.separator + "level2" + File.separator + "level3" + File.separator + "BFile.java", sourceB.getName());
-        assertEquals("2AC359C9A152FD7CD79C4EB147069224", sourceB.getDigest());
+        assertEquals("27F0B29785725F4946DBD05F7963E507B8DB735C2803BBB80C93ECB02291B2E2F9B03CBF27526DB68B6A862F1C6541275CD413A1CCD3E07209B9CAE0C04163C6", sourceB.getDigest());
         assertEquals(4, sourceB.getCoverage().length);
     }
 }
diff --git a/src/test/java/org/eluder/coveralls/maven/plugin/source/UniqueSourceCallbackTest.java b/src/test/java/org/eluder/coveralls/maven/plugin/source/UniqueSourceCallbackTest.java
@@ -90,7 +90,7 @@ private UniqueSourceCallback createUniqueSourceCallback() {
     }
 
     private Source createSource(final String name, final String source, final int... relevant) throws Exception {
-        Source s = new Source(name, source, TestIoUtil.getMd5DigestHex(source));
+        Source s = new Source(name, source, TestIoUtil.getSha512DigestHex(source));
         for (int i : relevant) {
             s.addCoverage(i, 1);
         }

diff --git a/src/test/java/org/eluder/coveralls/maven/plugin/source/UrlSourceLoaderTest.java b/src/test/java/org/eluder/coveralls/maven/plugin/source/UrlSourceLoaderTest.java
@@ -69,7 +69,7 @@ public void testLoadSourceFromUrl() throws Exception {
         Source source = sourceLoader.load(fileName);
 
         assertEquals(fileName, source.getName());
-        assertEquals("9897A4BB0467180D3C6ACD95475DD77D", source.getDigest());
+        assertEquals("259AEA51FD9A0FB9529BDDDECDD3FCAE41BFA7C5C8C79555D61E4FB2910D08363814EC6C02DA1FBF6FF539DCEB7DC180B5043E980651049C24497BDA1CA47DAA", source.getDigest());
         assertEquals(3, source.getCoverage().length);
     }
 

diff --git a/...plugin/util/Md5DigestInputStreamTest.java → ...gin/util/Sha521DigestInputStreamTest.java b/...plugin/util/Md5DigestInputStreamTest.java → ...gin/util/Sha521DigestInputStreamTest.java
@@ -29,32 +29,32 @@
 
 import static org.junit.Assert.assertEquals;
 
-public class Md5DigestInputStreamTest {
+public class Sha521DigestInputStreamTest {
 
     @Test
     public void testRead() throws Exception {
         byte[] data = new byte[] { (byte) 0xAA, (byte) 0xBB, (byte) 0xCC, (byte) 0xDD };
-        try (Md5DigestInputStream is = new Md5DigestInputStream(new ByteArrayInputStream(data))) {
+        try (Sha521DigestInputStream is = new Sha521DigestInputStream(new ByteArrayInputStream(data))) {
             assertEquals(0xAA, is.read());
             assertEquals(0xBB, is.read());
             assertEquals(0xCC, is.read());
             assertEquals(0xDD, is.read());
             assertEquals(-1, is.read());
-            assertEquals("CA6FFBF95B47864FD4E73F2601326304", is.getDigestHex());
+            assertEquals("48E218B30D4EA16305096FE35E84002A0D262EB3853131309423492228980C60238F9EED238285036F22E37C4662E40C80A461000A7AA9A03FB3CB6E4223E83B", is.getDigestHex());
         }
     }
 
     @Test
     public void testReadArray() throws Exception {
         byte[] data = new byte[] { (byte) 0xAA, (byte) 0xBB, (byte) 0xCC, (byte) 0xDD };
-        try (Md5DigestInputStream is = new Md5DigestInputStream(new ByteArrayInputStream(data))) {
+        try (Sha521DigestInputStream is = new Sha521DigestInputStream(new ByteArrayInputStream(data))) {
             byte[] buff = new byte[5];
             assertEquals(4, is.read(buff));
             assertEquals(-1, is.read());
             for (int i = 0; i < data.length; i++) {
                 assertEquals(data[i], buff[i]);
             }
-            assertEquals("CA6FFBF95B47864FD4E73F2601326304", is.getDigestHex());
+            assertEquals("48E218B30D4EA16305096FE35E84002A0D262EB3853131309423492228980C60238F9EED238285036F22E37C4662E40C80A461000A7AA9A03FB3CB6E4223E83B", is.getDigestHex());
         }
     }
 }
diff --git a/src/test/java/org/eluder/coveralls/maven/plugin/util/TestIoUtil.java b/src/test/java/org/eluder/coveralls/maven/plugin/util/TestIoUtil.java
@@ -71,8 +71,8 @@ public static File getFile(final String resource) {
         }
     }
 
-    public static String getMd5DigestHex(final String content) throws NoSuchAlgorithmException {
-        return DigestUtils.md5Hex(content).toUpperCase();
+    public static String getSha512DigestHex(final String content) throws NoSuchAlgorithmException {
+        return DigestUtils.sha512Hex(content).toUpperCase();
     }
 
     private static URL getResourceUrl(final String resource) {