SONARPY-2791 Expand support for Argon2 to S5344 (#196)

ghislainpiot · sonartech · commit 0f8a923592df · 2025-04-15T08:47:10.000Z
GitOrigin-RevId: bb4b754dce1d48498aeb49407e117d404fbd68db
diff --git a/python-checks/src/main/java/org/sonar/python/checks/hotspots/FastHashingOrPlainTextCheck.java b/python-checks/src/main/java/org/sonar/python/checks/hotspots/FastHashingOrPlainTextCheck.java
@@ -183,15 +183,35 @@ public class FastHashingOrPlainTextCheck extends PythonSubscriptionCheck {
     }
   });
 
-  private static final Map<String, Collection<CallValidator>> CALL_EXPRESSION_VALIDATORS = Map.ofEntries(
+
+  private TypeCheckBuilder argon2IDTypeChecker = null;
+  private final CallValidator argon2Type = new ArgumentValidator(
+    0, "type", (ctx, argument) -> {
+    if (argon2IDTypeChecker.check(argument.expression().typeV2()) == TriBool.FALSE) {
+      ctx.addIssue(argument, "Use Argon2ID to improve the security of the passwords.");
+    }
+  });
+  private TypeCheckBuilder argon2VersionTypeChecker = null;
+  private final CallValidator argon2Version = new ArgumentValidator(
+    1, "version", (ctx, argument) -> {
+    var typeCheck = argon2VersionTypeChecker.check(argument.expression().typeV2());
+    if (typeCheck == TriBool.TRUE) {
+      return;
+    }
+    if (!isEqualTo(argument.expression(), 19)) {
+      ctx.addIssue(argument, "Use the latest version of Argon2 ID.");
+    }
+  });
+
+  private final Map<String, Collection<CallValidator>> callExpressionValidators = Map.ofEntries(
     Map.entry("scrypt.hash", List.of(SCRYPT_R, SCRYPT_BUFLEN, SCRYPT_N)),
     Map.entry("hashlib.scrypt", List.of(HASHLIB_R, HASHLIB_N, HASHLIB_DKLEN)),
     Map.entry("hashlib.pbkdf2_hmac", List.of(HASHLIB_PBKDF2)),
     Map.entry("cryptography.hazmat.primitives.kdf.scrypt.Scrypt", List.of(CRYPTOGRAPHY_R, CRYPTOGRAPHY_N, CRYPTOGRAPHY_LENGTH)),
     Map.entry("cryptography.hazmat.primitives.kdf.pbkdf2.PBKDF2HMAC", List.of(CRYPTOGRAPHY_PBKDF2)),
     Map.entry("passlib.handlers.scrypt.scrypt.using", List.of(PASSLIB_BLOCK_SIZE, PASSLIB_ROUNDS)),
     Map.entry("argon2.PasswordHasher", List.of(new Argon2PasswordHasherValidator(0, 1, 2))),
-    Map.entry("argon2.Parameters", List.of(new Argon2PasswordHasherValidator(4, 5, 6))),
+    Map.entry("argon2.Parameters", List.of(new Argon2PasswordHasherValidator(4, 5, 6), argon2Type, argon2Version)),
     Map.entry("argon2.low_level.hash_secret", List.of(new Argon2PasswordHasherValidator(2, 3, 4))),
     Map.entry("argon2.low_level.hash_secret_raw", List.of(new Argon2PasswordHasherValidator(2, 3, 4))),
     Map.entry("passlib.handlers.argon2._Argon2Common.using", List.of(new Argon2PasswordHasherValidator(3, 4, 5))),
@@ -254,8 +274,10 @@ private static void checkDjangoHasher(SubscriptionContext subscriptionContext) {
   private void registerTypeCheckers(SubscriptionContext subscriptionContext) {
     argon2CheapestProfileTypeChecker = subscriptionContext.typeChecker().typeCheckBuilder().isTypeWithFqn("argon2.profiles.CHEAPEST");
     flaskConfigTypeChecker = subscriptionContext.typeChecker().typeCheckBuilder().isInstanceOf("flask.config.Config");
+    argon2IDTypeChecker = subscriptionContext.typeChecker().typeCheckBuilder().isTypeWithFqn("argon2.low_level.Type.ID");
+    argon2VersionTypeChecker = subscriptionContext.typeChecker().typeCheckBuilder().isTypeWithFqn("argon2.low_level.ARGON2_VERSION");
     typeCheckMap = new TypeCheckMap<>();
-    CALL_EXPRESSION_VALIDATORS.forEach((key, value) -> {
+    callExpressionValidators.forEach((key, value) -> {
       var typeCheckBuilder = subscriptionContext.typeChecker().typeCheckBuilder().isTypeWithFqn(key);
       typeCheckMap.put(typeCheckBuilder, value);
     });
diff --git a/python-checks/src/test/resources/checks/fastHashingOrPlainText/fastHashingOrPlainText.py b/python-checks/src/test/resources/checks/fastHashingOrPlainText/fastHashingOrPlainText.py
@@ -266,7 +266,19 @@ def manual_unsafe():
         parallelism=1,
     )
 
-    Parameters(type, version, salt_len, hash_len, 1, 1, 1)  # Noncompliant
+    from argon2.low_level import Type, ARGON2_VERSION
+    Parameters(Type.ID, ARGON2_VERSION, salt_len, hash_len, 1, 1, 1)  # Noncompliant
+
+    Parameters(Type.D, ARGON2_VERSION, salt_len, hash_len, smth, smth, smth)  # Noncompliant {{Use Argon2ID to improve the security of the passwords.}}
+    #          ^^^^^^
+    Parameters(Type.I, ARGON2_VERSION, salt_len, hash_len, smth, smth, smth)  # Noncompliant
+    Parameters(Type.ID, ARGON2_VERSION, salt_len, hash_len, smth, smth, smth)
+
+    Parameters(Type.ID, 18, salt_len, hash_len, smth, smth, smth)  # Noncompliant {{Use the latest version of Argon2 ID.}}
+    #                   ^^
+    Parameters(Type.ID, 20, salt_len, hash_len, smth, smth, smth)  # Noncompliant
+    Parameters(Type.ID, 19, salt_len, hash_len, smth, smth, smth)
+    Parameters(Type.ID, ARGON2_VERSION, salt_len, hash_len, smth, smth, smth)
 
     from argon2.low_level import hash_secret, hash_secret_raw
     hash_secret(  # Noncompliant
