[
https://issues.apache.org/jira/browse/GROOVY-11459?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17880970#comment-17880970
]
Paul King edited comment on GROOVY-11459 at 9/11/24 1:50 PM:
-------------------------------------------------------------
I created a temporary branch to play with hashing algorithms:
[https://github.com/paulk-asert/groovy/tree/groovy11459]
Some parts are definitely not intended to be committed. When running
`perf:perfTests` gives results like this:
{noformat}
> Task :performance:performanceTests (Linux JDK21)
Groovy 5_0_0-alpha-9 Average 593.9ms ± 70.56ms
Groovy current_md5 Average 634.54ms ± 88.25ms (6.84% slower)
Groovy current_xx128 Average 635.98ms ± 85.95ms (7.08% slower)
Groovy current_sha256 Average 636.03ms ± 83.15ms (7.09% slower)
Groovy current_murmur3_128B Average 640.67ms ± 78.06ms (7.87% slower)
Groovy current_murmur3_128A Average 654.14ms ± 73.55ms (10.14% slower)
Groovy 4_0_22 Average 738.33ms ± 216.17ms (24.32% slower)
{noformat}
The ordering wasn't consistent, e.g. here was one of the runs on Windows:
{noformat}
> Task :performance:performanceTests (Windows JDK17)
Groovy current_murmur3_128B Average 957.75ms ± 16.2ms
Groovy current_murmur3_128A Average 962.23ms ± 21.11ms (0.47% slower)
Groovy current_sha256 Average 969.51ms ± 26.66ms (1.23% slower)
Groovy current_xx128 Average 970.76ms ± 29.18ms (1.36% slower)
Groovy current_md5 Average 975.36ms ± 24.39ms (1.84% slower)
{noformat}
was (Author: paulk):
I created a temporary branch to play with hashing algorithms:
https://github.com/paulk-asert/groovy/tree/groovy11459
Some parts are definitely not intended to be committed. When running
`perf:perfTests` gives results like this:
{noformat}
> Task :performance:performanceTests (Linux JDK21)
Groovy 5_0_0-alpha-9 Average 593.9ms ± 70.56ms
Groovy current_md5 Average 634.54ms ± 88.25ms (6.84% slower)
Groovy current_xx128 Average 635.98ms ± 85.95ms (7.08% slower)
Groovy current_sha256 Average 636.03ms ± 83.15ms (7.09% slower)
Groovy current_murmur3_128B Average 640.67ms ± 78.06ms (7.87% slower)
Groovy current_murmur3_128A Average 654.14ms ± 73.55ms (10.14% slower)
Groovy 4_0_22 Average 738.33ms ± 216.17ms (24.32% slower)
{noformat}
The ordering wasn't consistent, e.g. here was one of the runs on Windows:
{noformat}
> Task :performance:performanceTests (Windows JDK17)
Groovy current_murmur3_128B Average 957.75ms ± 16.2ms
Groovy current_murmur3_128A Average 962.23ms ± 21.11ms (0.47% slower)
Groovy current_sha256 Average 969.51ms ± 26.66ms (1.23% slower)
Groovy current_xx128 Average 970.76ms ± 29.18ms (1.36% slower)
Groovy current_md5 Average 975.36ms ± 24.39ms (1.84% slower)
{noformat}
> weak hashing algorithm (使用弱哈希算法)
> --------------------------------
>
> Key: GROOVY-11459
> URL: https://issues.apache.org/jira/browse/GROOVY-11459
> Project: Groovy
> Issue Type: Bug
> Affects Versions: 4.0.22
> Reporter: wellchang
> Assignee: Paul King
> Priority: Major
>
> 通过iast扫描发现groovy中使用了md5来生成缓存键名,路径为groovy.lang.GroovyClassLoader.getSourceCacheKey
> 建议使用常见的安全的哈希算法,如SHA-256,SHA-384,SHA-512等
> Google Translate gives:
> Through iast scanning, it was found that md5 is used in groovy to generate
> the cache key name, and the path is
> groovy.lang.GroovyClassLoader.getSourceCacheKey
> It is recommended to use common secure hash algorithms, such as SHA-256,
> SHA-384, SHA-512, etc.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
