I am reaching out to you as we conducted an empirical study to understand the nature of cryptographic misuses in enterprise-driven projects on GitHub. During our study, we randomly inspected a few of the misuses. One of the misuses for which we could confirm the finding of the analysis, CogniCryptSAST, is one in your project:

• PluggableParameterOperatorDigest uses MD5 as a parameter to java.security.MessageDigest. By now, it is possible to have collisions with MD5 and are not considered secure any longer. Therefore, one should not use MD5 anymore in a security context like password storage, token generation, or computation integrity. This misuse is also considered problematic by industry tools like SonarSource.

We hope that this information helps you and to hear back from you