Swift: Add CryptoSwift sinks in swift/weak-sensitive-data-hashing

[geoffw0]

This was fairly straightforward now that we have CSV sinks in the query. I think it's quite a big win for the coverage of this query.

[geoffw0]

I think the QLDoc check warnings are wrong (due to lacking support for modules):

Warning: Missing QLdoc for classless-predicate WeakSensitiveDataHashingQuery::WeakHashingConfig::isBarrierIn/1
Warning: Missing QLdoc for classless-predicate WeakSensitiveDataHashingQuery::WeakHashingConfig::isBarrierOut/1

[MathiasVP]

LGTM! Remembering the amount of trouble the Ruby team had when they started to raise alerts on uses of md5: Should we maybe run this on MRVA before we merge this and have a quick look at the results? (IIRC, the Ruby query didn't have a concept of "sensitive data", so we're in a bit of a better position than they are with the query).

[geoffw0]

Yes, I believe the issue was that it was flagging more-or-less any use of MD5 with the idea that the algorithm is insecure - but in practice it is widely used for non-cryptographic purposes. The restriction to sensitive data should exclude the vast majority of such non-cryptographic uses.

Also note that we already flag the Insecure.MD5 CryptoKit implementation, this change only extends coverage to CryptoSwift's MD5 as well.

Nevertheless I will do a MRVA run later today out of an abundance of caution.

[geoffw0]

In the top 1000 MRVA projects (actually 808 projects) I found 4 new results, all in one project. Two cases in a function hashing a password + salt with .sha1 by default (configurable by parameter). Two cases in a function hashing a password only with .sha256 by default (which is OK, but configurable with .sha1 and .md5 available options). I'm very happy with the first two result and happy enough with the second two, as they appear to be an incident waiting to happen. There is definitely not an issue of noisy results here.