diff --git a/rules/java/security/blowfish-insufficient-key-size-java.yml b/rules/java/security/blowfish-insufficient-key-size-java.yml new file mode 100644 index 00000000..88487ad4 --- /dev/null +++ b/rules/java/security/blowfish-insufficient-key-size-java.yml @@ -0,0 +1,63 @@ +id: blowfish-insufficient-key-size-java +severity: warning +language: java +message: >- + Using less than 128 bits for Blowfish is considered insecure. Use 128 + bits or more, or switch to use AES instead. +note: >- + [CWE-326] Inadequate Encryption Strength. + [REFERENCES] + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures +utils: + MATCH_PATTERN_KEYGENERATOR: + kind: expression_statement + all: + - has: + stopBy: end + kind: method_invocation + all: + - has: + stopBy: end + kind: identifier + - has: + stopBy: neighbor + kind: identifier + regex: '\binit\b' + - has: + stopBy: end + kind: argument_list + has: + stopBy: end + any: + - kind: decimal_integer_literal + pattern: $R + - kind: decimal_floating_point_literal + pattern: $R + - follows: + stopBy: end + kind: local_variable_declaration + has: + stopBy: end + kind: method_invocation + all: + - has: + stopBy: neighbor + kind: identifier + regex: '\bKeyGenerator\b' + - has: + stopBy: neighbor + kind: identifier + regex: '\bgetInstance\b' + - has: + stopBy: neighbor + kind: argument_list + has: + stopBy: neighbor + kind: string_literal + regex: '\bBlowfish\b' +rule: + kind: expression_statement + matches: MATCH_PATTERN_KEYGENERATOR +constraints: + R: + regex: ^(?:127|1[01][0-9]|[1-9]?[0-9])(\.\d+)?$ diff --git a/rules/java/security/jedis-jedisfactory-hardcoded-password-java.yml b/rules/java/security/jedis-jedisfactory-hardcoded-password-java.yml new file mode 100644 index 00000000..9634f077 --- /dev/null +++ b/rules/java/security/jedis-jedisfactory-hardcoded-password-java.yml @@ -0,0 +1,327 @@ +id: jedis-jedisfactory-hardcoded-password-java +language: java +severity: warning +message: >- + A secret is hard-coded in the application. Secrets stored in source + code, such as credentials, identifiers, and other types of sensitive data, + can be leaked and used by internal or external malicious actors. Use + environment variables to securely provide credentials and other secrets or + retrieve them from a secure vault or Hardware Security Module (HSM). +note: >- + [CWE-798] Use of Hard-coded Credentials. + [REFERENCES] + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html +utils: + MATCH_PATTERN_JEDISFACTORY: + kind: expression_statement + all: + - has: + stopBy: neighbor + kind: method_invocation + all: + - has: + stopBy: neighbor + kind: identifier + pattern: $R + - has: + stopBy: neighbor + kind: identifier + regex: '^setPassword$' + - has: + stopBy: neighbor + kind: argument_list + has: + stopBy: neighbor + kind: string_literal + pattern: $E + - follows: + stopBy: end + kind: local_variable_declaration + all: + - has: + stopBy: neighbor + kind: type_identifier + regex: '^JedisFactory$|^jedis.ConnectionFactory$|^ConnectionFactory$' + - has: + stopBy: neighbor + kind: variable_declarator + all: + - has: + stopBy: neighbor + kind: identifier + pattern: $R + - has: + stopBy: neighbor + kind: object_creation_expression + - inside: + stopBy: end + kind: class_declaration + follows: + stopBy: end + kind: import_declaration + has: + stopBy: neighbor + kind: scoped_identifier + all: + - has: + stopBy: end + kind: identifier + regex: '^redis$' + - has: + stopBy: end + kind: identifier + regex: '^clients$' + + MATCH_PATTERN_CLIENT_JEDIS.JEDISFACTORY: + kind: expression_statement + all: + - has: + stopBy: neighbor + kind: method_invocation + all: + - has: + stopBy: neighbor + kind: identifier + pattern: $R + - has: + stopBy: neighbor + kind: identifier + regex: '^setPassword$' + - has: + stopBy: neighbor + kind: argument_list + has: + stopBy: neighbor + kind: string_literal + - follows: + stopBy: end + kind: local_variable_declaration + all: + - has: + stopBy: neighbor + kind: scoped_type_identifier + all: + - has: + stopBy: neighbor + kind: scoped_type_identifier + all: + - has: + stopBy: neighbor + kind: type_identifier + regex: '^clients$' + - has: + stopBy: neighbor + kind: type_identifier + regex: '^jedis$' + - has: + stopBy: neighbor + kind: type_identifier + regex: '^JedisFactory$|^ConnectionFactory$' + - has: + stopBy: end + kind: variable_declarator + has: + stopBy: neighbor + kind: identifier + pattern: $R + - inside: + stopBy: end + kind: class_declaration + follows: + stopBy: end + kind: import_declaration + all: + - has: + stopBy: end + kind: identifier + regex: '^redis$' + - has: + stopBy: end + kind: asterisk + + MATCH_PATTERN_JEDIS.JEDISFACTORY: + kind: expression_statement + all: + - has: + stopBy: neighbor + kind: method_invocation + all: + - has: + stopBy: neighbor + kind: identifier + pattern: $R + - has: + stopBy: neighbor + kind: identifier + regex: '^setPassword$' + - has: + stopBy: neighbor + kind: argument_list + has: + stopBy: neighbor + kind: string_literal + - follows: + stopBy: end + kind: local_variable_declaration + all: + - has: + stopBy: neighbor + kind: scoped_type_identifier + all: + - has: + stopBy: neighbor + kind: type_identifier + regex: '^jedis$' + - has: + stopBy: neighbor + kind: type_identifier + regex: '^JedisFactory$|^ConnectionFactory$' + - has: + stopBy: neighbor + kind: variable_declarator + has: + stopBy: neighbor + kind: identifier + pattern: $R + + MATCH_PATTERN_REDIS_CLIENT_JEDIS.JEDISFACTORY: + kind: expression_statement + all: + - has: + stopBy: neighbor + kind: method_invocation + all: + - has: + stopBy: neighbor + kind: identifier + pattern: $R + - has: + stopBy: neighbor + kind: identifier + regex: '^setPassword$' + - has: + stopBy: neighbor + kind: argument_list + has: + stopBy: neighbor + kind: string_literal + - follows: + stopBy: end + kind: local_variable_declaration + all: + - has: + stopBy: neighbor + kind: scoped_type_identifier + all: + - has: + stopBy: neighbor + kind: scoped_type_identifier + all: + - has: + stopBy: end + kind: type_identifier + regex: '^redis$' + - has: + stopBy: end + kind: type_identifier + regex: '^clients$' + - has: + stopBy: end + kind: type_identifier + regex: '^jedis$' + - has: + stopBy: end + kind: type_identifier + regex: '^ConnectionFactory$|^JedisFactory$' + - has: + stopBy: neighbor + kind: variable_declarator + has: + stopBy: end + kind: identifier + pattern: $R + + MATCH_PATTERN_JEDISFACTORY_WITH_INSTANCE: + kind: expression_statement + all: + - has: + stopBy: neighbor + kind: method_invocation + all: + - has: + stopBy: neighbor + kind: identifier + pattern: $R + - has: + stopBy: neighbor + kind: identifier + regex: '^setPassword$' + - has: + stopBy: neighbor + kind: argument_list + has: + stopBy: neighbor + kind: identifier + - follows: + stopBy: end + kind: local_variable_declaration + all: + - has: + stopBy: neighbor + kind: type_identifier + regex: '^JedisFactory$|^jedis.ConnectionFactory$|^ConnectionFactory$' + - has: + stopBy: neighbor + kind: variable_declarator + all: + - has: + stopBy: neighbor + kind: identifier + pattern: $R + - has: + stopBy: neighbor + kind: object_creation_expression + - inside: + stopBy: end + kind: class_declaration + follows: + stopBy: end + kind: import_declaration + has: + stopBy: neighbor + kind: scoped_identifier + all: + - has: + stopBy: end + kind: identifier + regex: '^redis$' + - has: + stopBy: end + kind: identifier + regex: '^clients$' + - follows: + stopBy: end + kind: local_variable_declaration + all: + - has: + stopBy: end + kind: identifier + pattern: $D + - has: + stopBy: end + kind: string_literal +rule: + kind: expression_statement + any: + - matches: MATCH_PATTERN_JEDISFACTORY + - matches: MATCH_PATTERN_CLIENT_JEDIS.JEDISFACTORY + - matches: MATCH_PATTERN_JEDIS.JEDISFACTORY + - matches: MATCH_PATTERN_REDIS_CLIENT_JEDIS.JEDISFACTORY + - matches: MATCH_PATTERN_JEDISFACTORY_WITH_INSTANCE +constraints: + E: + not: + regex: ^""$ + + + diff --git a/rules/java/security/use-of-default-aes-java.yml b/rules/java/security/use-of-default-aes-java.yml new file mode 100644 index 00000000..aefa79db --- /dev/null +++ b/rules/java/security/use-of-default-aes-java.yml @@ -0,0 +1,95 @@ +id: use-of-default-aes-java +language: java +severity: warning +message: >- + Use of AES with no settings detected. By default, java.crypto.Cipher + uses ECB mode. ECB doesn't provide message confidentiality and is not + semantically secure so should not be used. Instead, use a strong, secure + cipher: java.crypto.Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See + https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions + for more information. +note: >- + [CWE-327] Use of a Broken or Risky Cryptographic Algorithm. + [REFERENCES] + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + - https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html +rule: + any: + - pattern: Cipher.getInstance("AES") + inside: + stopBy: end + kind: class_declaration + follows: + stopBy: end + kind: import_declaration + any: + - pattern: import javax.*; + - pattern: import javax; + - pattern: import javax.crypto.*; + - pattern: crypto.Cipher.getInstance("AES") + inside: + stopBy: end + kind: class_declaration + follows: + stopBy: end + kind: import_declaration + any: + - pattern: import javax.*; + - pattern: import javax; + - pattern: import javax.crypto.*; + - pattern: javax.crypto.Cipher.getInstance("AES") + inside: + stopBy: end + kind: class_declaration + follows: + stopBy: end + kind: import_declaration + any: + - pattern: import javax.*; + - pattern: import javax; + - pattern: import javax.crypto.*; + - pattern: $D.getInstance("AES"); + all: + - follows: + stopBy: end + pattern: Cipher $D = $$$ + - inside: + stopBy: end + kind: class_declaration + follows: + stopBy: end + kind: import_declaration + any: + - pattern: import javax.*; + - pattern: import javax; + - pattern: import javax.crypto.*; + - pattern: $D.getInstance("AES"); + all: + - follows: + stopBy: end + pattern: javax.crypto.Cipher $D = $$$ + - inside: + stopBy: end + kind: class_declaration + follows: + stopBy: end + kind: import_declaration + any: + - pattern: import javax.*; + - pattern: import javax; + - pattern: import javax.crypto.*; + - pattern: $D.getInstance("AES"); + all: + - follows: + stopBy: end + pattern: crypto.Cipher $D = $$$ + - inside: + stopBy: end + kind: class_declaration + follows: + stopBy: end + kind: import_declaration + any: + - pattern: import javax.*; + - pattern: import javax; + - pattern: import javax.crypto.*; diff --git a/tests/__snapshots__/blowfish-insufficient-key-size-java-snapshot.yml b/tests/__snapshots__/blowfish-insufficient-key-size-java-snapshot.yml new file mode 100644 index 00000000..7e785b52 --- /dev/null +++ b/tests/__snapshots__/blowfish-insufficient-key-size-java-snapshot.yml @@ -0,0 +1,164 @@ +id: blowfish-insufficient-key-size-java +snapshots: + ? | + public void unsafeKeySize() { + KeyGenerator keyGen = KeyGenerator.getInstance("Blowfish"); + keyGen.init(-64); + } + : labels: + - source: keyGen.init(-64); + style: primary + start: 96 + end: 113 + - source: keyGen + style: secondary + start: 96 + end: 102 + - source: init + style: secondary + start: 103 + end: 107 + - source: '64' + style: secondary + start: 109 + end: 111 + - source: (-64) + style: secondary + start: 107 + end: 112 + - source: keyGen.init(-64) + style: secondary + start: 96 + end: 112 + - source: KeyGenerator + style: secondary + start: 55 + end: 67 + - source: getInstance + style: secondary + start: 68 + end: 79 + - source: '"Blowfish"' + style: secondary + start: 80 + end: 90 + - source: ("Blowfish") + style: secondary + start: 79 + end: 91 + - source: KeyGenerator.getInstance("Blowfish") + style: secondary + start: 55 + end: 91 + - source: KeyGenerator keyGen = KeyGenerator.getInstance("Blowfish"); + style: secondary + start: 33 + end: 92 + ? | + public void unsafeKeySize() { + KeyGenerator keyGen = KeyGenerator.getInstance("Blowfish"); + keyGen.init(64); + } + : labels: + - source: keyGen.init(64); + style: primary + start: 96 + end: 112 + - source: keyGen + style: secondary + start: 96 + end: 102 + - source: init + style: secondary + start: 103 + end: 107 + - source: '64' + style: secondary + start: 108 + end: 110 + - source: (64) + style: secondary + start: 107 + end: 111 + - source: keyGen.init(64) + style: secondary + start: 96 + end: 111 + - source: KeyGenerator + style: secondary + start: 55 + end: 67 + - source: getInstance + style: secondary + start: 68 + end: 79 + - source: '"Blowfish"' + style: secondary + start: 80 + end: 90 + - source: ("Blowfish") + style: secondary + start: 79 + end: 91 + - source: KeyGenerator.getInstance("Blowfish") + style: secondary + start: 55 + end: 91 + - source: KeyGenerator keyGen = KeyGenerator.getInstance("Blowfish"); + style: secondary + start: 33 + end: 92 + ? | + public void unsafeKeySize() { + KeyGenerator keyGen = KeyGenerator.getInstance("Blowfish"); + keyGen.init(64.8); + } + : labels: + - source: keyGen.init(64.8); + style: primary + start: 96 + end: 114 + - source: keyGen + style: secondary + start: 96 + end: 102 + - source: init + style: secondary + start: 103 + end: 107 + - source: '64.8' + style: secondary + start: 108 + end: 112 + - source: (64.8) + style: secondary + start: 107 + end: 113 + - source: keyGen.init(64.8) + style: secondary + start: 96 + end: 113 + - source: KeyGenerator + style: secondary + start: 55 + end: 67 + - source: getInstance + style: secondary + start: 68 + end: 79 + - source: '"Blowfish"' + style: secondary + start: 80 + end: 90 + - source: ("Blowfish") + style: secondary + start: 79 + end: 91 + - source: KeyGenerator.getInstance("Blowfish") + style: secondary + start: 55 + end: 91 + - source: KeyGenerator keyGen = KeyGenerator.getInstance("Blowfish"); + style: secondary + start: 33 + end: 92 diff --git a/tests/__snapshots__/jedis-jedisfactory-hardcoded-password-java-snapshot.yml b/tests/__snapshots__/jedis-jedisfactory-hardcoded-password-java-snapshot.yml new file mode 100644 index 00000000..8391649c --- /dev/null +++ b/tests/__snapshots__/jedis-jedisfactory-hardcoded-password-java-snapshot.yml @@ -0,0 +1,404 @@ +id: jedis-jedisfactory-hardcoded-password-java +snapshots: + ? | + import redis.clients.jedis.JedisFactory; + + @Service + public class JedisService implements IJedisService { + @Test + public void hardcoded() { + JedisFactory jedisFactory = new JedisFactory(); + jedisFactory.setHostName(hostName); + jedisFactory.setport(port); + jedisFactory.setPassword("asdf"); + jedisFactory.setDatabase(database); + } + } + : labels: + - source: jedisFactory.setPassword("asdf"); + style: primary + start: 248 + end: 281 + - source: jedisFactory + style: secondary + start: 248 + end: 260 + - source: setPassword + style: secondary + start: 261 + end: 272 + - source: '"asdf"' + style: secondary + start: 273 + end: 279 + - source: ("asdf") + style: secondary + start: 272 + end: 280 + - source: jedisFactory.setPassword("asdf") + style: secondary + start: 248 + end: 280 + - source: JedisFactory + style: secondary + start: 136 + end: 148 + - source: jedisFactory + style: secondary + start: 149 + end: 161 + - source: new JedisFactory() + style: secondary + start: 164 + end: 182 + - source: jedisFactory = new JedisFactory() + style: secondary + start: 149 + end: 182 + - source: JedisFactory jedisFactory = new JedisFactory(); + style: secondary + start: 136 + end: 183 + - source: redis + style: secondary + start: 7 + end: 12 + - source: clients + style: secondary + start: 13 + end: 20 + - source: redis.clients.jedis.JedisFactory + style: secondary + start: 7 + end: 39 + - source: import redis.clients.jedis.JedisFactory; + style: secondary + start: 0 + end: 40 + - source: |- + @Service + public class JedisService implements IJedisService { + @Test + public void hardcoded() { + JedisFactory jedisFactory = new JedisFactory(); + jedisFactory.setHostName(hostName); + jedisFactory.setport(port); + jedisFactory.setPassword("asdf"); + jedisFactory.setDatabase(database); + } + } + style: secondary + start: 42 + end: 321 + ? | + import redis.clients.jedis.JedisFactory; + + @Service + public class JedisService implements IJedisService { + @Test + public void hardcoded() { + JedisFactory jedisFactory = new JedisFactory(); + jedisFactory.setHostName(hostName); + jedisFactory.setport(port); + string asd = "asdf"; + jedisFactory.setPassword(asd); + jedisFactory.setDatabase(database); + } + } + : labels: + - source: jedisFactory.setPassword(asd); + style: primary + start: 269 + end: 299 + - source: jedisFactory + style: secondary + start: 269 + end: 281 + - source: setPassword + style: secondary + start: 282 + end: 293 + - source: asd + style: secondary + start: 294 + end: 297 + - source: (asd) + style: secondary + start: 293 + end: 298 + - source: jedisFactory.setPassword(asd) + style: secondary + start: 269 + end: 298 + - source: JedisFactory + style: secondary + start: 136 + end: 148 + - source: jedisFactory + style: secondary + start: 149 + end: 161 + - source: new JedisFactory() + style: secondary + start: 164 + end: 182 + - source: jedisFactory = new JedisFactory() + style: secondary + start: 149 + end: 182 + - source: JedisFactory jedisFactory = new JedisFactory(); + style: secondary + start: 136 + end: 183 + - source: redis + style: secondary + start: 7 + end: 12 + - source: clients + style: secondary + start: 13 + end: 20 + - source: redis.clients.jedis.JedisFactory + style: secondary + start: 7 + end: 39 + - source: import redis.clients.jedis.JedisFactory; + style: secondary + start: 0 + end: 40 + - source: |- + @Service + public class JedisService implements IJedisService { + @Test + public void hardcoded() { + JedisFactory jedisFactory = new JedisFactory(); + jedisFactory.setHostName(hostName); + jedisFactory.setport(port); + string asd = "asdf"; + jedisFactory.setPassword(asd); + jedisFactory.setDatabase(database); + } + } + style: secondary + start: 42 + end: 339 + - source: asd + style: secondary + start: 255 + end: 258 + - source: '"asdf"' + style: secondary + start: 261 + end: 267 + - source: string asd = "asdf"; + style: secondary + start: 248 + end: 268 + ? | + import redis.clients.jedis.JedisFactory; + + @Service + public class JedisService implements IJedisService { + @Test + public void hardcoded() { + JedisFactory jedisFactory = new clients.jedis.JedisFactory(); + jedisFactory.setHostName(hostName); + jedisFactory.setport(port); + string asd = "asdf"; + jedisFactory.setPassword(asd); + jedisFactory.setDatabase(database); + } + } + : labels: + - source: jedisFactory.setPassword(asd); + style: primary + start: 283 + end: 313 + - source: jedisFactory + style: secondary + start: 283 + end: 295 + - source: setPassword + style: secondary + start: 296 + end: 307 + - source: asd + style: secondary + start: 308 + end: 311 + - source: (asd) + style: secondary + start: 307 + end: 312 + - source: jedisFactory.setPassword(asd) + style: secondary + start: 283 + end: 312 + - source: JedisFactory + style: secondary + start: 136 + end: 148 + - source: jedisFactory + style: secondary + start: 149 + end: 161 + - source: new clients.jedis.JedisFactory() + style: secondary + start: 164 + end: 196 + - source: jedisFactory = new clients.jedis.JedisFactory() + style: secondary + start: 149 + end: 196 + - source: JedisFactory jedisFactory = new clients.jedis.JedisFactory(); + style: secondary + start: 136 + end: 197 + - source: redis + style: secondary + start: 7 + end: 12 + - source: clients + style: secondary + start: 13 + end: 20 + - source: redis.clients.jedis.JedisFactory + style: secondary + start: 7 + end: 39 + - source: import redis.clients.jedis.JedisFactory; + style: secondary + start: 0 + end: 40 + - source: |- + @Service + public class JedisService implements IJedisService { + @Test + public void hardcoded() { + JedisFactory jedisFactory = new clients.jedis.JedisFactory(); + jedisFactory.setHostName(hostName); + jedisFactory.setport(port); + string asd = "asdf"; + jedisFactory.setPassword(asd); + jedisFactory.setDatabase(database); + } + } + style: secondary + start: 42 + end: 353 + - source: asd + style: secondary + start: 269 + end: 272 + - source: '"asdf"' + style: secondary + start: 275 + end: 281 + - source: string asd = "asdf"; + style: secondary + start: 262 + end: 282 + ? | + import redis.clients.jedis.JedisFactory; + + @Service + public class JedisService implements IJedisService { + @Test + public void hardcoded() { + JedisFactory jedisFactory = new jedis.JedisFactory(); + jedisFactory.setHostName(hostName); + jedisFactory.setport(port); + string asd = "asdf"; + jedisFactory.setPassword(asd); + jedisFactory.setDatabase(database); + } + } + : labels: + - source: jedisFactory.setPassword(asd); + style: primary + start: 275 + end: 305 + - source: jedisFactory + style: secondary + start: 275 + end: 287 + - source: setPassword + style: secondary + start: 288 + end: 299 + - source: asd + style: secondary + start: 300 + end: 303 + - source: (asd) + style: secondary + start: 299 + end: 304 + - source: jedisFactory.setPassword(asd) + style: secondary + start: 275 + end: 304 + - source: JedisFactory + style: secondary + start: 136 + end: 148 + - source: jedisFactory + style: secondary + start: 149 + end: 161 + - source: new jedis.JedisFactory() + style: secondary + start: 164 + end: 188 + - source: jedisFactory = new jedis.JedisFactory() + style: secondary + start: 149 + end: 188 + - source: JedisFactory jedisFactory = new jedis.JedisFactory(); + style: secondary + start: 136 + end: 189 + - source: redis + style: secondary + start: 7 + end: 12 + - source: clients + style: secondary + start: 13 + end: 20 + - source: redis.clients.jedis.JedisFactory + style: secondary + start: 7 + end: 39 + - source: import redis.clients.jedis.JedisFactory; + style: secondary + start: 0 + end: 40 + - source: |- + @Service + public class JedisService implements IJedisService { + @Test + public void hardcoded() { + JedisFactory jedisFactory = new jedis.JedisFactory(); + jedisFactory.setHostName(hostName); + jedisFactory.setport(port); + string asd = "asdf"; + jedisFactory.setPassword(asd); + jedisFactory.setDatabase(database); + } + } + style: secondary + start: 42 + end: 345 + - source: asd + style: secondary + start: 261 + end: 264 + - source: '"asdf"' + style: secondary + start: 267 + end: 273 + - source: string asd = "asdf"; + style: secondary + start: 254 + end: 274 diff --git a/tests/__snapshots__/use-of-default-aes-java-snapshot.yml b/tests/__snapshots__/use-of-default-aes-java-snapshot.yml new file mode 100644 index 00000000..5888d2ba --- /dev/null +++ b/tests/__snapshots__/use-of-default-aes-java-snapshot.yml @@ -0,0 +1,125 @@ +id: use-of-default-aes-java +snapshots: + ? "import javax;\nimport javax.crypto.*;\nimport javax.crypto.Cipher;\nclass AES{\npublic void useofAES() {\nCipher cipher = javax.crypto.Cipher.getInstance(\"AES\"); \n}\n" + : labels: + - source: javax.crypto.Cipher.getInstance("AES") + style: primary + start: 117 + end: 155 + - source: import javax.crypto.*; + style: secondary + start: 14 + end: 36 + - source: "class AES{\npublic void useofAES() {\nCipher cipher = javax.crypto.Cipher.getInstance(\"AES\"); \n}" + style: secondary + start: 65 + end: 159 + ? | + import javax; + import javax.crypto.*; + import javax.crypto.Cipher; + class AES{ + public void useofAES() { + Cipher cipher2 = Cipher.getInstance("AES"); + } + : labels: + - source: Cipher.getInstance("AES") + style: primary + start: 118 + end: 143 + - source: import javax.crypto.*; + style: secondary + start: 14 + end: 36 + - source: |- + class AES{ + public void useofAES() { + Cipher cipher2 = Cipher.getInstance("AES"); + } + style: secondary + start: 65 + end: 146 + ? | + import javax; + import javax.crypto.*; + import javax.crypto.Cipher; + class AES{ + public void useofAES() { + Cipher.getInstance("AES"); + } + : labels: + - source: Cipher.getInstance("AES") + style: primary + start: 101 + end: 126 + - source: import javax.crypto.*; + style: secondary + start: 14 + end: 36 + - source: |- + class AES{ + public void useofAES() { + Cipher.getInstance("AES"); + } + style: secondary + start: 65 + end: 129 + ? "import javax;\nimport javax.crypto.*;\nimport javax.crypto.Cipher;\nclass AES{\npublic void useofAES() {\nCipher.getInstance(\"AES\"); \n}\n" + : labels: + - source: Cipher.getInstance("AES") + style: primary + start: 101 + end: 126 + - source: import javax.crypto.*; + style: secondary + start: 14 + end: 36 + - source: "class AES{\npublic void useofAES() {\nCipher.getInstance(\"AES\"); \n}" + style: secondary + start: 65 + end: 130 + ? | + import javax; + import javax.crypto.*; + import javax.crypto.Cipher; + class AES{ + public void useofAES() { + javax.crypto.Cipher.getInstance("AES"); + } + : labels: + - source: javax.crypto.Cipher.getInstance("AES") + style: primary + start: 101 + end: 139 + - source: import javax.crypto.*; + style: secondary + start: 14 + end: 36 + - source: |- + class AES{ + public void useofAES() { + javax.crypto.Cipher.getInstance("AES"); + } + style: secondary + start: 65 + end: 142 + ? "import javax;\nimport javax.crypto; \nimport javax.crypto.*;\nimport javax.crypto.Cipher;\nclass AES{\npublic void useofAES() {\nCipher.getInstance(\"AES\");\ncrypto.Cipher.getInstance(\"AES\");\njavax.crypto.Cipher.getInstance(\"AES\");\n}\n" + : labels: + - source: Cipher.getInstance("AES") + style: primary + start: 127 + end: 152 + - source: import javax.crypto.*; + style: secondary + start: 40 + end: 62 + - source: |- + class AES{ + public void useofAES() { + Cipher.getInstance("AES"); + crypto.Cipher.getInstance("AES"); + javax.crypto.Cipher.getInstance("AES"); + } + style: secondary + start: 91 + end: 229 diff --git a/tests/java/blowfish-insufficient-key-size-java-test.yml b/tests/java/blowfish-insufficient-key-size-java-test.yml new file mode 100644 index 00000000..533bb67c --- /dev/null +++ b/tests/java/blowfish-insufficient-key-size-java-test.yml @@ -0,0 +1,23 @@ +id: blowfish-insufficient-key-size-java +valid: + - | + public void safeKeySize() { + KeyGenerator keyGen = KeyGenerator.getInstance("Blowfish"); + keyGen.init(128); + } +invalid: + - | + public void unsafeKeySize() { + KeyGenerator keyGen = KeyGenerator.getInstance("Blowfish"); + keyGen.init(64); + } + - | + public void unsafeKeySize() { + KeyGenerator keyGen = KeyGenerator.getInstance("Blowfish"); + keyGen.init(-64); + } + - | + public void unsafeKeySize() { + KeyGenerator keyGen = KeyGenerator.getInstance("Blowfish"); + keyGen.init(64.8); + } diff --git a/tests/java/jedis-jedisfactory-hardcoded-password-java-test.yml b/tests/java/jedis-jedisfactory-hardcoded-password-java-test.yml new file mode 100644 index 00000000..2e5c106b --- /dev/null +++ b/tests/java/jedis-jedisfactory-hardcoded-password-java-test.yml @@ -0,0 +1,64 @@ +id: jedis-jedisfactory-hardcoded-password-java +valid: + - | + jedisFactory.setPassword(password); +invalid: + - | + import redis.clients.jedis.JedisFactory; + + @Service + public class JedisService implements IJedisService { + @Test + public void hardcoded() { + JedisFactory jedisFactory = new JedisFactory(); + jedisFactory.setHostName(hostName); + jedisFactory.setport(port); + jedisFactory.setPassword("asdf"); + jedisFactory.setDatabase(database); + } + } + - | + import redis.clients.jedis.JedisFactory; + + @Service + public class JedisService implements IJedisService { + @Test + public void hardcoded() { + JedisFactory jedisFactory = new JedisFactory(); + jedisFactory.setHostName(hostName); + jedisFactory.setport(port); + string asd = "asdf"; + jedisFactory.setPassword(asd); + jedisFactory.setDatabase(database); + } + } + - | + import redis.clients.jedis.JedisFactory; + + @Service + public class JedisService implements IJedisService { + @Test + public void hardcoded() { + JedisFactory jedisFactory = new clients.jedis.JedisFactory(); + jedisFactory.setHostName(hostName); + jedisFactory.setport(port); + string asd = "asdf"; + jedisFactory.setPassword(asd); + jedisFactory.setDatabase(database); + } + } + - | + import redis.clients.jedis.JedisFactory; + + @Service + public class JedisService implements IJedisService { + @Test + public void hardcoded() { + JedisFactory jedisFactory = new jedis.JedisFactory(); + jedisFactory.setHostName(hostName); + jedisFactory.setport(port); + string asd = "asdf"; + jedisFactory.setPassword(asd); + jedisFactory.setDatabase(database); + } + } diff --git a/tests/java/use-of-default-aes-java-test.yml b/tests/java/use-of-default-aes-java-test.yml new file mode 100644 index 00000000..311b3e11 --- /dev/null +++ b/tests/java/use-of-default-aes-java-test.yml @@ -0,0 +1,65 @@ +id: use-of-default-aes-java +valid: + - | + crypto.KeyGenerator.getInstance("AES"); + javax.crypto.KeyGenerator.getInstance("AES"); +invalid: + - | + import javax; + import javax.crypto; + import javax.crypto.*; + import javax.crypto.Cipher; + class AES{ + public void useofAES() { + Cipher.getInstance("AES"); + crypto.Cipher.getInstance("AES"); + javax.crypto.Cipher.getInstance("AES"); + } + - | + import javax; + import javax.crypto.*; + import javax.crypto.Cipher; + class AES{ + public void useofAES() { + Cipher.getInstance("AES"); + } + - | + import javax; + import javax.crypto.*; + import javax.crypto.Cipher; + class AES{ + public void useofAES() { + javax.crypto.Cipher.getInstance("AES"); + } + - | + import javax; + import javax.crypto.*; + import javax.crypto.Cipher; + class AES{ + public void useofAES() { + Cipher cipher = javax.crypto.Cipher.getInstance("AES"); + } + - | + import javax; + import javax.crypto.*; + import javax.crypto.Cipher; + class AES{ + public void useofAES() { + Cipher cipher2 = Cipher.getInstance("AES"); + } + - | + import javax; + import javax.crypto.*; + import javax.crypto.Cipher; + class AES{ + public void useofAES() { + javax.crypto.Cipher.getInstance("AES"); + } + - | + import javax; + import javax.crypto.*; + import javax.crypto.Cipher; + class AES{ + public void useofAES() { + Cipher.getInstance("AES"); + }