For example, if a developer defined MD5 as a hash ...
... DevSkim would show a pop-up telling the user they're making a critical error
Maybe, maybe not. What if I'm aware of its shortcomings and decide that it doesn't matter in my case. For example, I could be using it in a program to de-dupe a filesystem, but I know that before hard-linking files together I'm going to do a bit-for-bit compare on them because I'm paranoid about accidental hash collisions and my own programming errors.
Right now, I wouldn't be too concerned about using MD5 in a HMAC (hash-based message authentication code) implementation. The Wikipedia page here states "attacks on HMAC-MD5 do not seem to indicate a practical vulnerability when used as a message authentication code." Likewise, I wouldn't be too concerned about using it in a Merkle tree implementation where hash collisions are only advisory (like the file de-dupe example above) or I have other explicit measures that prevent pre-image (or whatever) attacks.
Biting the hand that feeds IT
