Add Security Rules for Cryptography and Authentication in Java Applications

[ESS-ENN]

Summary by CodeRabbit

• New Features

  • Introduced new security rules for Blowfish and AES encryption algorithms to enhance security checks in Java applications.
  • Added a rule to identify hard-coded passwords in the JedisFactory class.

• Bug Fixes

  • Implemented tests to validate key sizes for Blowfish encryption, ensuring compliance with security standards.
  • Created test cases for proper password management in the JedisFactory.

• Tests

  • Added comprehensive test configurations for Blowfish, JedisFactory, and AES encryption usages, covering valid and invalid scenarios.

[coderabbitai]

Walkthrough

This pull request introduces three new security rules for Java applications, focusing on cryptographic and authentication practices. The rules address potential vulnerabilities in encryption key sizes (Blowfish), default AES encryption settings, and hard-coded passwords in the Jedis library. Each rule is accompanied by corresponding test cases that validate both correct and incorrect usage scenarios. The changes aim to enhance security checks by identifying insecure coding practices related to cryptographic implementations and credential management.

Changes

File	Change Summary
rules/java/security/blowfish-insufficient-key-size-java.yml	New security rule to detect Blowfish encryption with key sizes less than 128 bits
rules/java/security/jedis-jedisfactory-hardcoded-password-java.yml	New rule to identify hard-coded passwords in JedisFactory
rules/java/security/use-of-default-aes-java.yml	New rule warning against using default AES encryption without specific settings
tests/java/*-test.yml	Added corresponding test configurations for each new security rule
tests/__snapshots__/*-snapshot.yml	Created snapshot files for testing various scenarios

Sequence Diagram

sequenceDiagram
    participant Dev as Developer
    participant Rule as Security Rule
    participant Code as Java Code
    
    Dev->>Code: Writes Java encryption code
    Code->>Rule: Triggers rule check
    alt Insecure Key Size
        Rule-->>Dev: Warns about insufficient Blowfish key size
    end
    alt Unsafe AES Default
        Rule-->>Dev: Suggests more secure AES configuration
    end
    alt Hardcoded Password
        Rule-->>Dev: Alerts about security risk in credentials
    end

Loading

Possibly related PRs

• One java and one rust rule #13: Complementary rule for AES encryption security
• Two Java rules 10Oct2024 #16: Similar security rule for Jedis library
• Rules - One go and one java rule - 11Oct2024 #18: Related Blowfish encryption rule
• Rules - One php and one java rule #20: Rule for hard-coded secrets in Java
• Add security rules for cookie settings and XML processing in YAML config #66: Cookie security flag rule
• Add security rules for cookie handling in Java applications #67: Additional cookie security rule

Suggested reviewers

• rohit121

Poem

🐰 Cryptic Rabbit's Security Dance

Bits and keys, a careful glance,
Blowfish whispers, "128 or flee!"
AES defaults? Not for me!
Passwords hidden, no longer free,
Security hops with jubilee! 🔐

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 5

🧹 Nitpick comments (8)

rules/java/security/jedis-jedisfactory-hardcoded-password-java.yml (2)

15-186: Optimize pattern matching structure

The patterns have significant duplication in their structure. Consider refactoring to use shared pattern definitions.

1. Extract common method invocation pattern
2. Extract common variable declaration pattern
3. Use pattern references to compose final rules
   Example structure:

utils:
  COMMON_PASSWORD_METHOD:
    kind: method_invocation
    all:
      - has:
          kind: identifier
          pattern: $R
      - has:
          kind: identifier
          regex: '^setPassword$'
  # ... more shared patterns

🧰 Tools

🪛 yamllint (1.35.1)

[warning] 22-22: wrong indentation: expected 22 but found 20

(indentation)

---

[warning] 31-31: wrong indentation: expected 26 but found 28

(indentation)

---

[warning] 38-38: wrong indentation: expected 18 but found 16

(indentation)

---

[warning] 54-54: wrong indentation: expected 36 but found 38

(indentation)

---

[warning] 60-60: wrong indentation: expected 22 but found 20

(indentation)

---

[warning] 82-82: wrong indentation: expected 22 but found 20

(indentation)

---

[warning] 91-91: wrong indentation: expected 26 but found 28

(indentation)

---

[warning] 97-97: wrong indentation: expected 18 but found 16

(indentation)

---

[warning] 100-100: wrong indentation: expected 20 but found 18

(indentation)

---

[warning] 101-101: wrong indentation: expected 24 but found 22

(indentation)

---

[warning] 104-104: wrong indentation: expected 26 but found 28

(indentation)

---

[warning] 105-105: wrong indentation: expected 34 but found 32

(indentation)

---

[warning] 108-108: wrong indentation: expected 36 but found 38

(indentation)

---

[warning] 109-109: wrong indentation: expected 44 but found 46

(indentation)

---

[warning] 113-113: wrong indentation: expected 44 but found 46

(indentation)

---

[warning] 117-117: wrong indentation: expected 34 but found 36

(indentation)

---

[warning] 121-121: wrong indentation: expected 24 but found 26

(indentation)

---

[warning] 124-124: wrong indentation: expected 30 but found 32

(indentation)

---

[warning] 131-131: wrong indentation: expected 22 but found 20

(indentation)

---

[warning] 134-134: wrong indentation: expected 24 but found 28

(indentation)

---

[error] 141-141: trailing spaces

(trailing-spaces)

---

[warning] 149-149: wrong indentation: expected 22 but found 20

(indentation)

---

[warning] 158-158: wrong indentation: expected 26 but found 28

(indentation)

---

[warning] 164-164: wrong indentation: expected 18 but found 16

(indentation)

---

[warning] 167-167: wrong indentation: expected 20 but found 22

(indentation)

---

[warning] 168-168: wrong indentation: expected 28 but found 30

(indentation)

---

[warning] 171-171: wrong indentation: expected 34 but found 36

(indentation)

---

[warning] 172-172: wrong indentation: expected 42 but found 44

(indentation)

---

[warning] 176-176: wrong indentation: expected 42 but found 44

(indentation)

---

[warning] 180-180: wrong indentation: expected 28 but found 30

(indentation)

---

[warning] 183-183: wrong indentation: expected 34 but found 36

(indentation)

---

322-324: Consider additional password constraints

The current constraint only checks for empty strings. Consider adding checks for:

1. Common default passwords
2. Short passwords
3. Simple patterns

constraints:
  E:
    not:
      any:
        - regex: ^""$
        - regex: ^(password|admin|test)$
        - regex: ^.{1,8}$

🧰 Tools

🪛 yamllint (1.35.1)

[warning] 322-322: wrong indentation: expected 4 but found 6

(indentation)

---

[warning] 323-323: wrong indentation: expected 10 but found 8

(indentation)

---

[warning] 324-324: wrong indentation: expected 12 but found 14

(indentation)

tests/java/blowfish-insufficient-key-size-java-test.yml (1)

8-23: Consider adding more edge cases for comprehensive testing.

While the current invalid test cases cover basic scenarios, consider adding:

• Upper bound tests (e.g., 127-bit keys)
• Common weak key sizes (e.g., 32-bit, 56-bit)
• More malformed inputs (e.g., null, empty string)

rules/java/security/blowfish-insufficient-key-size-java.yml (1)

9-10: Consider adding more security references.

While the OWASP Top 10 reference is valuable, consider adding:

• NIST recommendations for key sizes
• CVE examples of Blowfish vulnerabilities
• Migration guides to AES

rules/java/security/use-of-default-aes-java.yml (2)

1-15: LGTM! Consider adding NIST reference for completeness.

The rule configuration is well-structured with clear messaging and relevant references. Consider adding NIST SP 800-38A reference which specifically discusses block cipher modes of operation.

Add this reference to strengthen the documentation:

   [REFERENCES]
       - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
       - https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html
+      - https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf

---

16-95: LGTM! Consider adding pattern for string concatenation.

The pattern matching is comprehensive, covering various ways of instantiating AES cipher. However, it might miss cases where the string "AES" is constructed through concatenation.

Consider adding this pattern to catch string concatenation:

   rule:
     any:
+      - pattern: Cipher.getInstance("A" + "ES")
+        inside:
+          stopBy: end
+          kind: class_declaration
+          follows:
+            stopBy: end
+            kind: import_declaration
+            any:
+              - pattern: import javax.*;
+              - pattern: import javax;
+              - pattern: import javax.crypto.*;
       - pattern: Cipher.getInstance("AES")

tests/__snapshots__/use-of-default-aes-java-snapshot.yml (1)

1-125: Consider adding negative test cases and edge cases.

The test snapshots comprehensively cover valid patterns, but could benefit from additional cases to ensure the rule doesn't produce false positives.

Consider adding these test cases:

1. Negative cases (shouldn't match):

  ? |
    import javax.crypto.*;
    class AES {
      public void safeAES() {
        Cipher.getInstance("AES/CBC/PKCS5Padding");
      }
    }
  : labels: []

2. String concatenation case (should match):

  ? |
    import javax.crypto.*;
    class AES {
      public void unsafeAES() {
        Cipher.getInstance("A" + "ES");
      }
    }
  : labels:
    - source: Cipher.getInstance("A" + "ES")
      style: primary

tests/__snapshots__/blowfish-insufficient-key-size-java-snapshot.yml (1)

1-164: Consider adding boundary test cases and variable key sizes.

While the current test cases cover basic scenarios, adding boundary cases and variable key sizes would improve coverage.

Consider adding these test cases:

1. Boundary case (128 bits):

  ? |
    public void safeKeySize() {
      KeyGenerator keyGen = KeyGenerator.getInstance("Blowfish");
      keyGen.init(128);
    }
  : labels: []

2. Variable key size:

  ? |
    public void variableKeySize() {
      KeyGenerator keyGen = KeyGenerator.getInstance("Blowfish");
      int keySize = 64;
      keyGen.init(keySize);
    }
  : labels:
    - source: keyGen.init(keySize)
      style: primary

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c72b9cc and f4d729b.

📒 Files selected for processing (9)

• rules/java/security/blowfish-insufficient-key-size-java.yml (1 hunks)
• rules/java/security/jedis-jedisfactory-hardcoded-password-java.yml (1 hunks)
• rules/java/security/use-of-default-aes-java.yml (1 hunks)
• tests/__snapshots__/blowfish-insufficient-key-size-java-snapshot.yml (1 hunks)
• tests/__snapshots__/jedis-jedisfactory-hardcoded-password-java-snapshot.yml (1 hunks)
• tests/__snapshots__/use-of-default-aes-java-snapshot.yml (1 hunks)
• tests/java/blowfish-insufficient-key-size-java-test.yml (1 hunks)
• tests/java/jedis-jedisfactory-hardcoded-password-java-test.yml (1 hunks)
• tests/java/use-of-default-aes-java-test.yml (1 hunks)

🧰 Additional context used

🪛 yamllint (1.35.1)

tests/java/use-of-default-aes-java-test.yml

[error] 9-9: trailing spaces

(trailing-spaces)

---

[error] 24-24: trailing spaces

(trailing-spaces)

---

[error] 40-40: trailing spaces

(trailing-spaces)

rules/java/security/jedis-jedisfactory-hardcoded-password-java.yml

[warning] 22-22: wrong indentation: expected 22 but found 20

(indentation)

---

[warning] 31-31: wrong indentation: expected 26 but found 28

(indentation)

---

[warning] 38-38: wrong indentation: expected 18 but found 16

(indentation)

---

[warning] 54-54: wrong indentation: expected 36 but found 38

(indentation)

---

[warning] 60-60: wrong indentation: expected 22 but found 20

(indentation)

---

[warning] 82-82: wrong indentation: expected 22 but found 20

(indentation)

---

[warning] 91-91: wrong indentation: expected 26 but found 28

(indentation)

---

[warning] 97-97: wrong indentation: expected 18 but found 16

(indentation)

---

[warning] 100-100: wrong indentation: expected 20 but found 18

(indentation)

---

[warning] 101-101: wrong indentation: expected 24 but found 22

(indentation)

---

[warning] 104-104: wrong indentation: expected 26 but found 28

(indentation)

---

[warning] 105-105: wrong indentation: expected 34 but found 32

(indentation)

---

[warning] 108-108: wrong indentation: expected 36 but found 38

(indentation)

---

[warning] 109-109: wrong indentation: expected 44 but found 46

(indentation)

---

[warning] 113-113: wrong indentation: expected 44 but found 46

(indentation)

---

[warning] 117-117: wrong indentation: expected 34 but found 36

(indentation)

---

[warning] 121-121: wrong indentation: expected 24 but found 26

(indentation)

---

[warning] 124-124: wrong indentation: expected 30 but found 32

(indentation)

---

[warning] 131-131: wrong indentation: expected 22 but found 20

(indentation)

---

[warning] 134-134: wrong indentation: expected 24 but found 28

(indentation)

---

[error] 141-141: trailing spaces

(trailing-spaces)

---

[warning] 149-149: wrong indentation: expected 22 but found 20

(indentation)

---

[warning] 158-158: wrong indentation: expected 26 but found 28

(indentation)

---

[warning] 164-164: wrong indentation: expected 18 but found 16

(indentation)

---

[warning] 167-167: wrong indentation: expected 20 but found 22

(indentation)

---

[warning] 168-168: wrong indentation: expected 28 but found 30

(indentation)

---

[warning] 171-171: wrong indentation: expected 34 but found 36

(indentation)

---

[warning] 172-172: wrong indentation: expected 42 but found 44

(indentation)

---

[warning] 176-176: wrong indentation: expected 42 but found 44

(indentation)

---

[warning] 180-180: wrong indentation: expected 28 but found 30

(indentation)

---

[warning] 183-183: wrong indentation: expected 34 but found 36

(indentation)

---

[warning] 188-188: wrong indentation: expected 8 but found 7

(indentation)

---

[warning] 190-190: wrong indentation: expected 11 but found 12

(indentation)

---

[warning] 194-194: wrong indentation: expected 22 but found 20

(indentation)

---

[warning] 203-203: wrong indentation: expected 26 but found 28

(indentation)

---

[warning] 209-209: wrong indentation: expected 18 but found 20

(indentation)

---

[warning] 213-213: wrong indentation: expected 30 but found 29

(indentation)

---

[warning] 216-216: wrong indentation: expected 33 but found 30

(indentation)

---

[warning] 221-221: wrong indentation: expected 46 but found 44

(indentation)

---

[warning] 225-225: wrong indentation: expected 46 but found 44

(indentation)

---

[warning] 229-229: wrong indentation: expected 36 but found 38

(indentation)

---

[warning] 233-233: wrong indentation: expected 36 but found 33

(indentation)

---

[warning] 237-237: wrong indentation: expected 30 but found 32

(indentation)

---

[warning] 240-240: wrong indentation: expected 36 but found 38

(indentation)

---

[warning] 251-251: wrong indentation: expected 22 but found 20

(indentation)

---

[warning] 260-260: wrong indentation: expected 26 but found 28

(indentation)

---

[warning] 266-266: wrong indentation: expected 18 but found 16

(indentation)

---

[warning] 282-282: wrong indentation: expected 36 but found 38

(indentation)

---

[warning] 288-288: wrong indentation: expected 22 but found 20

(indentation)

---

[warning] 303-303: wrong indentation: expected 18 but found 20

(indentation)

---

[warning] 306-306: wrong indentation: expected 24 but found 22

(indentation)

---

[warning] 307-307: wrong indentation: expected 28 but found 30

(indentation)

---

[warning] 311-311: wrong indentation: expected 28 but found 30

(indentation)

---

[warning] 322-322: wrong indentation: expected 4 but found 6

(indentation)

---

[warning] 323-323: wrong indentation: expected 10 but found 8

(indentation)

---

[warning] 324-324: wrong indentation: expected 12 but found 14

(indentation)

---

[warning] 327-327: too many blank lines

(3 > 0) (empty-lines)

rules/java/security/blowfish-insufficient-key-size-java.yml

[warning] 15-15: wrong indentation: expected 12 but found 9

(indentation)

---

[warning] 16-16: wrong indentation: expected 15 but found 12

(indentation)

---

[warning] 30-30: wrong indentation: expected 26 but found 24

(indentation)

---

[warning] 32-32: wrong indentation: expected 28 but found 30

(indentation)

---

[warning] 37-37: wrong indentation: expected 15 but found 14

(indentation)

---

[error] 39-39: trailing spaces

(trailing-spaces)

---

[warning] 40-40: wrong indentation: expected 18 but found 16

(indentation)

---

[warning] 55-55: wrong indentation: expected 30 but found 28

(indentation)

🔇 Additional comments (5)

rules/java/security/jedis-jedisfactory-hardcoded-password-java.yml (1)

4-9: LGTM: Clear and informative security message

The warning message effectively communicates the security risk and provides actionable mitigation strategies.

tests/__snapshots__/jedis-jedisfactory-hardcoded-password-java-snapshot.yml (1)

1-404: LGTM: Snapshot correctly captures test patterns

The snapshot file accurately reflects the test cases and their matching patterns.

tests/java/blowfish-insufficient-key-size-java-test.yml (1)

1-7: LGTM! Valid test case properly validates secure key size.

The test correctly validates the use of 128-bit keys for Blowfish encryption, which aligns with security best practices.

tests/java/use-of-default-aes-java-test.yml (1)

2-5: LGTM! Valid cases correctly allow KeyGenerator instantiation.

The test properly validates the KeyGenerator usage while focusing on Cipher instantiation issues.

rules/java/security/blowfish-insufficient-key-size-java.yml (1)

1-8: LGTM! Well-documented security rule with appropriate severity.

The rule correctly identifies insufficient key sizes for Blowfish with proper security context and CWE reference.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

---

Sakshis seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}