Optional warning for crypto API misuse detection

[fraxken]

Implement a new optional warning and probe to detect usage of Node.js crypto APIs that could lead to security vulnerabilities, particularly around incorrect hash generation and weak cryptographic practices.

Proposed approach:

Add detection for potentially insecure usage of the following crypto methods:

Password hashing functions:

• crypto.argon2()
• crypto.bcrypt()
• crypto.scrypt()
• crypto.pbkdf2() / crypto.pbkdf2Sync()

Insecure random generation:

• Math.random() used for security-sensitive operations (instead of crypto.randomBytes())

Note: This list should be expanded by reviewing the Node.js crypto documentation to ensure comprehensive coverage.

Examples:

// Should trigger warning - insufficient iterations for pbkdf2
crypto.pbkdf2(password, salt, 1000, 64, 'sha512', callback);

// Should trigger warning - insecure random for tokens
const token = Math.random().toString(36);

// Should NOT trigger warning - proper usage
crypto.scrypt(password, salt, 64, (err, derivedKey) => {
  // proper implementation
});

Detection criteria:

The probe should identify:

1. Insufficient iteration counts for key derivation functions
2. Missing or weak salt generation
3. Use of non-cryptographic random functions for security contexts

Expected behavior:

Emit warnings with severity levels:

• Warning Weak parameters (low iteration counts)
• Information Potential misuse requiring manual review