Skip to content

Fix DS126858 false positive on --nomd5 and similar disable flags #722

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Copilot wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

Fix DS126858 false positive on --nomd5 and similar disable flags #722

Copilot wants to merge 3 commits into from
+10 −6

Conversation

Copy link
Contributor

Copilot AI commented Feb 4, 2026
edited
Loading

Rule DS126858 (Weak/Broken Hash Algorithm) was flagging cases where MD5 is explicitly disabled, e.g. makeself --sha256 --nomd5.

Changes

  • Updated regex pattern to use negative lookbehind assertions that exclude MD5 when preceded by disable patterns:
    • \bno (matches nomd5, --nomd5)
    • \bno- (matches no-md5)
    • \bno_ (matches no_md5)
    • \bdisable_ (matches disable_md5_check)
  • Added corresponding must-not-match test cases

Pattern

# Before
(MD2|MD4|MD5|RIPEMD|...)

# After  
(?<!\bno)(?<!\bno-)(?<!\bno_)(?<!\bdisable_)(MD2|MD4|MD5|RIPEMD|...)

The word boundaries ensure edge cases like xnomd5 are still flagged while legitimate disable flags are excluded.

Original prompt

This section details on the original issue you should resolve

<issue_title>[False Positive] DS126858 flagging --nomd5</issue_title>
<issue_description>## DS126858

What the rule matched

makeself --sha256 --nomd5

Why should this not be matched?

makeself uses md5 checksums as a basic verification mechanism, I am trying to change it to a sha256 checksum. From the makeself documentation:

--sha256 : Adds a SHA256 checksum for the archive. This is in addition to the MD5 / CRC checksums unless --nomd5 is also used.

https://github.com/megastep/makeself</issue_description>

<agent_instructions>Try to improve the md5 rule to be less broad. It seems like it probably shouldn't capture this 'nomd5' case.</agent_instructions>

Comments on the Issue (you are @copilot in this section)

@gfs Thanks for your report. I'll take another look at the md5 rule and see if I can narrow it down a bit.

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI assigned Copilot and gfs Feb 4, 2026
Copilot AI changed the title [WIP] Fix false positive on DS126858 with --nomd5 Fix DS126858 false positive on --nomd5 and similar disable flags Feb 4, 2026
Copilot AI requested a review from gfs February 4, 2026 23:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gfs gfs Awaiting requested review from gfs

At least 1 approving review is required to merge this pull request.

Assignees

@gfs gfs

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[False Positive] DS126858 flagging --nomd5

2 participants

@gfs