Modify rule S4790: Add Dart language

rules/S4790/dart/metadata.json

@@ -0,0 +1,32 @@
+{
+  "securityStandards": {
+    "CWE": [
+      1240
+    ],
+    "OWASP": [
+      "A3",
+      "A6"
+    ],
+    "OWASP Mobile": [
+      "M5"
+    ],
+    "OWASP Mobile Top 10 2024": [
+      "M10"
+    ],
+    "MASVS": [
+      "MSTG-CRYPTO-4"
+    ],
+    "OWASP Top 10 2021": [
+      "A2"
+    ],
+    "PCI DSS 3.2": [
+      "3.4",
+      "6.5.3",
+      "6.5.4"
+    ],
+    "PCI DSS 4.0": [
+      "6.2.4"
+    ]
+  },
+  "quickfix": "unknown"
+}

rules/S4790/dart/rule.adoc

@@ -0,0 +1,85 @@
+include::../description.adoc[]
+
+include::../ask-yourself.adoc[]
+
+include::../recommended.adoc[]
+
+== Sensitive Code Example
+
+https://pub.dev/packages/crypto[crypto package]:
+
+[source,dart,diff-id=1,diff-type=noncompliant]
+----
+import 'package:crypto/crypto.dart';
+
+final digest = sha1.convert(input).bytes; // Sensitive
+----
+
+https://pub.dev/packages/pointycastle[pointycastle package]:
+
+[source,dart,diff-id=2,diff-type=noncompliant]
+----
+import 'package:pointycastle/export.dart';
+
+final digest = Digest('SHA-1'); // Sensitive
+----
+
+https://pub.dev/packages/cryptography[cryptography package]:
+
+[source,dart,diff-id=3,diff-type=noncompliant]
+----
+import 'package:cryptography/cryptography.dart';
+
+final digest = Sha1(); // Sensitive
+----
+
+== Compliant Solution
+
+https://pub.dev/packages/crypto[crypto package]:
+
+[source,dart,diff-id=1,diff-type=compliant]
+----
+import 'package:crypto/crypto.dart';
+
+final digest = sha256.convert(input).bytes; // Compliant
+----
+
+https://pub.dev/packages/pointycastle[pointycastle package]:
+
+[source,dart,diff-id=2,diff-type=compliant]
+----
+import 'package:pointycastle/export.dart';
+
+final digest = Digest('SHA-256'); // Compliant
+----
+
+https://pub.dev/packages/cryptography[cryptography package]:
+
+[source,dart,diff-id=3,diff-type=compliant]
+----
+import 'package:cryptography/cryptography.dart';
+
+final digest = Sha256(); // Compliant
+----
+
+include::../see.adoc[]
+
+ifdef::env-github,rspecator-view[]
+
+'''
+== Implementation Specification
+(visible only on this page)
+
+include::../message.adoc[]
+
+=== Highlighting
+
+The constant or constructor invocation (e.g. `sha1` in `sha1.convert(...)` and `Digest('SHA-1')` in `final digest1 = Digest('SHA-1')`). 
+
+'''
+== Comments And Links
+(visible only on this page)
+
+include::../comments-and-links.adoc[]
+
+endif::env-github,rspecator-view[]

rules/S4790/description.adoc

@@ -1 +1,3 @@
-Cryptographic hash algorithms such as ``++MD2++``, ``++MD4++``, ``++MD5++``, ``++MD6++``, ``++HAVAL-128++``, ``++HMAC-MD5++``, ``++DSA++`` (which uses ``++SHA-1++``), ``++RIPEMD++``, ``++RIPEMD-128++``, ``++RIPEMD-160++``, ``++HMACRIPEMD160++`` and ``++SHA-1++`` are no longer considered secure, because it is possible to have ``++collisions++`` (little computational effort is enough to find two or more different inputs that produce the same hash).
+Cryptographic hash algorithms such as ``++MD2++``, ``++MD4++``, ``++MD5++``, ``++MD6++``, ``++HAVAL-128++``,  ``++DSA++`` (which uses ``++SHA-1++``), ``++RIPEMD++``, ``++RIPEMD-128++``, ``++RIPEMD-160++``and ``++SHA-1++`` are no longer considered secure, because it is possible to have ``++collisions++`` (little computational effort is enough to find two or more different inputs that produce the same hash).
+
+Message authentication code (MAC) algorithms such as ``++HMAC-MD5++`` or ``++HMAC-SHA1++`` use weak hash functions as building blocks. Although they are not all proven to be weak, they are considered legacy algorithms and should be avoided.