Fix code scanning alert - Use of a broken or risky cryptographic algorithm - HMacSHA1

[kwwall]

This is a false positive. SHA-1 is a risky algorithm, but not when it is used as an HMac. Need to report this to GitHub. Nothing to fix here, but recording an issue so I (@kwwall ) remember to report it against the code scanning software.

Tracking issue for:

• https://github.com/ESAPI/esapi-java-legacy/security/code-scanning/1

[kwwall]

These references, which Anna-Katharina Wickert dug up after I mentioned a paper by
Bellare, Canetti & Krawczy, are a subsequent (and stronger) proof that the HMAC-SHA1 is still secure as long as the compression function hash (in this case SHA1) acts as a pseudo-random function, which it does:

1. https://eprint.iacr.org/2006/043
2. https://link.springer.com/chapter/10.1007/11818175_36

There are a log of downside to "fixing" this. Needs a bit further study since NIST still recommends ditching it, but I speculate that may have to do with Grover's quantum search algorithm in a PQC world.

However, as a result of these 2 papers (I only read their abstracts), I marked this CodeQL issue as a false positive and left a comment with the reference to these 2 Bellare papers.

[kwwall]

@xeno6696 and @noloader - I'm leaning towards closing this and marking it as "Won't Fix" as I think it will cause more problems than it solves. (See the emails I sent to Anna.) What do you think?