[
https://issues.apache.org/jira/browse/GROOVY-11459?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17881009#comment-17881009
]
Paul King edited comment on GROOVY-11459 at 9/11/24 3:24 PM:
-------------------------------------------------------------
I'll send an email to the dev list shortly. Short answer is I like the idea of
making it configurable and maybe sha256 isn't that bad performance-wise but I
think we'd need more testing to know for sure. It puzzles me why the
5.0.0-alpha-9 test is quite a bit faster than the current_md5 version when
there is really only a switch statement extra in that case and a one-off system
property read.
was (Author: paulk):
I'll send an email to the dev list shortly.
> weak hashing algorithm (使用弱哈希算法)
> --------------------------------
>
> Key: GROOVY-11459
> URL: https://issues.apache.org/jira/browse/GROOVY-11459
> Project: Groovy
> Issue Type: Bug
> Affects Versions: 4.0.22
> Reporter: wellchang
> Assignee: Paul King
> Priority: Major
>
> 通过iast扫描发现groovy中使用了md5来生成缓存键名,路径为groovy.lang.GroovyClassLoader.getSourceCacheKey
> 建议使用常见的安全的哈希算法,如SHA-256,SHA-384,SHA-512等
> Google Translate gives:
> Through iast scanning, it was found that md5 is used in groovy to generate
> the cache key name, and the path is
> groovy.lang.GroovyClassLoader.getSourceCacheKey
> It is recommended to use common secure hash algorithms, such as SHA-256,
> SHA-384, SHA-512, etc.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
