Reuse Random instances and strengthen cipher algorithms#54
Open
sonarqube-agent[bot] wants to merge 1 commit into
Open
Reuse Random instances and strengthen cipher algorithms#54sonarqube-agent[bot] wants to merge 1 commit into
sonarqube-agent[bot] wants to merge 1 commit into
Conversation
Fixed issues: - AZ3eW0APPF-XYsB0KnNk for java:S2119 rule - AZ3eW0jfPF-XYsB0KnWR for java:S2119 rule - AZ3eW0bPPF-XYsB0KnUe for java:S2119 rule - AZ3eW0bPPF-XYsB0KnUf for java:S5542 rule - AZ3eW0bPPF-XYsB0KnUg for java:S5547 rule Generated by SonarQube Agent (task: a7e6e520-6f15-4ae4-90e9-327c27bca59d)
Author
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixed inefficient Random object creation by converting them to reusable class-level fields across three benchmark test files, and upgraded weak DES/CBC encryption to secure AES/GCM mode. These changes improve performance by eliminating redundant object instantiation and enhance cryptographic security by replacing vulnerable cipher configurations with authenticated encryption.
View Project in SonarCloud
Fixed Issues
java:S2119 - Save and re-use this "Random". • CRITICAL • View issue
Location:
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00296.java:60Why is this an issue?
Creating a new
Randomobject each time a random value is needed is inefficient and may produce numbers that are not random, depending on the JDK. For better efficiency and randomness, create a singleRandom, store it, and reuse it.What changed
This hunk declares a
Randominstance as a class-level field (private java.util.Random random = new java.util.Random()), so that theRandomobject is created once and reused across method invocations. This directly supports fixing the inefficiency and potential randomness issue caused by creating a newRandomobject each time a method is called.java:S2119 - Save and re-use this "Random". • CRITICAL • View issue
Location:
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest01897.java:60Why is this an issue?
Creating a new
Randomobject each time a random value is needed is inefficient and may produce numbers that are not random, depending on the JDK. For better efficiency and randomness, create a singleRandom, store it, and reuse it.What changed
This hunk adds a private static final SecureRandom field at the class level, which will be reused across method invocations. This directly addresses the issue where a new Random (SecureRandom) object was being created each time the method was called, which is inefficient and may produce numbers that are not truly random. By storing it as a class-level field, the SecureRandom instance is created once and reused.
java:S2119 - Save and re-use this "Random". • CRITICAL • View issue
Location:
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02458.java:57Why is this an issue?
Creating a new
Randomobject each time a random value is needed is inefficient and may produce numbers that are not random, depending on the JDK. For better efficiency and randomness, create a singleRandom, store it, and reuse it.What changed
This hunk moves the SecureRandom instance from being created inside a method to a static final field at the class level. This fixes the issue where a new Random object was being created each time the method was invoked, which is inefficient and may produce numbers that are not truly random. By defining it as a class-level field, the Random object is created once and reused across all invocations.
java:S5542 - Use another cipher mode or disable padding. • CRITICAL • View issue 1
java:S5547 - Use a strong cipher algorithm. • CRITICAL • View issue 2
Location:
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02458.java:63Why is this an issue?
Encryption algorithms are essential for protecting sensitive information and ensuring secure communications in a variety of domains. They are used for several important reasons:
Encryption algorithms are essential for protecting sensitive information and ensuring secure communication in various domains. They are used for several important reasons:
What changed
This hunk replaces the cipher algorithm string from 'DES/CBC/PKCS5PADDING' to 'AES/GCM/NoPadding'. This directly fixes the vulnerability where a weak cipher algorithm (DES) was being used, which is not considered cryptographically strong. It also fixes the issue of using CBC mode which is an unauthenticated cipher mode prone to padding oracle attacks. AES/GCM/NoPadding uses the strong AES algorithm with Galois/Counter Mode, which provides both authenticated encryption and confidentiality.
SonarQube Remediation Agent uses AI. Check for mistakes.