Skip to content

Add security rules for SHA-1, AES-ECB, and Blowfish in Java #173

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Mar 12, 2025
Merged

Add security rules for SHA-1, AES-ECB, and Blowfish in Java #173

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
46f627d
use-of-sha1-java
Mar 11, 2025
31777e6
use-of-default-aes
Mar 11, 2025
2a93751
use-of-blowfish
Mar 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 50 additions & 0 deletions rules/java/security/use-of-blowfish-java.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
id: use-of-blowfish-java
severity: warning
language: java
message: >-
'Use of Blowfish was detected. Blowfish uses a 64-bit block size
that makes it vulnerable to birthday attacks, and is therefore considered
non-compliant. Instead, use a strong, secure cipher:
Cipher.getInstance("AES/CBC/PKCS7PADDING"). See
https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions
for more information.'
note: >-
[CWE-327] Use of a Broken or Risky Cryptographic Algorithm.
[REFERENCES]
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
- https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html

ast-grep-essentials: true
rule:
kind: method_invocation
all:
- has:
kind: identifier
field: name
regex: ^getInstance$
nthChild:
position: 2
reverse: true
- has:
kind: argument_list
field: arguments
nthChild:
position: 1
reverse: true
has:
nthChild:
position: 1
ofRule:
not:
kind: line_comment
kind: string_literal
has:
kind: string_fragment
regex: ^Blowfish$
not:
has:
nthChild:
position: 2
ofRule:
not:
kind: line_comment
320 changes: 320 additions & 0 deletions rules/java/security/use-of-default-aes-java.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,320 @@
id: use-of-default-aes-java
severity: warning
language: java
message: >-
"Use of AES with no settings detected. By default, java.crypto.Cipher
uses ECB mode. ECB doesn't provide message confidentiality and is not
semantically secure so should not be used. Instead, use a strong, secure
cipher: java.crypto.Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See
https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions
for more information."
note: >-
[CWE-327] Use of a Broken or Risky Cryptographic Algorithm.
[REFERENCES]
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
- https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html

ast-grep-essentials: true
rule:
any:
- kind: method_invocation
all:
- has:
kind: field_access
nthChild: 1
regex: ^javax.crypto.Cipher$
- has:
kind: identifier
nthChild: 2
regex: ^getInstance$
- has:
kind: argument_list
nthChild: 3
has:
pattern: $AES
nthChild:
position: 1
ofRule:
not:
kind: line_comment
not:
has:
nthChild:
position: 2
ofRule:
not:
kind: line_comment
inside:
stopBy: end
follows:
stopBy: end
kind: import_declaration
any:
- pattern: import javax.*;
- pattern: import javax;
- kind: import_declaration
has:
stopBy: neighbor
kind: scoped_identifier
has:
stopBy: end
kind: identifier
nthChild: 1
regex: ^javax$
- kind: method_invocation
all:
- has:
kind: field_access
nthChild: 1
regex: ^crypto.Cipher$
- has:
kind: identifier
nthChild: 2
regex: ^getInstance$
- has:
kind: argument_list
has:
pattern: $AES
nthChild:
position: 1
ofRule:
not:
kind: line_comment
not:
has:
nthChild:
position: 2
ofRule:
not:
kind: line_comment
inside:
stopBy: end
follows:
stopBy: end
kind: import_declaration
any:
- kind: import_declaration
has:
stopBy: neighbor
kind: scoped_identifier
has:
stopBy: end
kind: identifier
nthChild: 1
regex: ^javax$
- pattern: import javax.crypto;
- pattern: import javax.*;
- kind: import_declaration
has:
stopBy: neighbor
kind: scoped_identifier
has:
stopBy: end
kind: identifier
nthChild: 1
regex: ^javax$
- kind: method_invocation
all:
- has:
kind: identifier
nthChild: 1
regex: ^Cipher$
- has:
kind: identifier
nthChild: 2
regex: ^getInstance$
- has:
kind: argument_list
has:
pattern: $AES
nthChild:
position: 1
ofRule:
not:
kind: line_comment
not:
has:
nthChild:
position: 2
ofRule:
not:
kind: line_comment
- inside:
stopBy: end
follows:
stopBy: end
kind: import_declaration
any:
- pattern: import javax.crypto.*;
- pattern: import javax.crypto.Cipher;
- kind: import_declaration
has:
stopBy: neighbor
kind: scoped_identifier
has:
stopBy: end
kind: identifier
nthChild: 1
regex: ^javax.crypto.*$
- kind: method_invocation
all:
- has:
kind: identifier
nthChild: 1
pattern: $INST
- has:
kind: identifier
nthChild: 2
regex: ^getInstance$
- has:
kind: argument_list
has:
pattern: $AES
nthChild:
position: 1
ofRule:
not:
kind: line_comment
not:
has:
nthChild:
position: 2
ofRule:
not:
kind: line_comment
- inside:
stopBy: end
follows:
stopBy: end
any:
- kind: field_declaration
- kind: local_variable_declaration
all:
- has:
kind: scoped_type_identifier
regex: ^javax.crypto.Cipher$
- has:
kind: variable_declarator
has:
kind: identifier
pattern: $INST
- inside:
stopBy: end
follows:
stopBy: end
kind: import_declaration
any:
- pattern: import javax.crypto.Cipher;
- pattern: import javax;
- kind: method_invocation
all:
- has:
kind: identifier
nthChild: 1
pattern: $INST
- has:
kind: identifier
nthChild: 2
regex: ^getInstance$
- has:
kind: argument_list
has:
pattern: $AES
nthChild:
position: 1
ofRule:
not:
kind: line_comment
not:
has:
nthChild:
position: 2
ofRule:
not:
kind: line_comment
- inside:
stopBy: end
follows:
stopBy: end
any:
- kind: field_declaration
- kind: local_variable_declaration
all:
- has:
kind: scoped_type_identifier
regex: ^crypto.Cipher$
- has:
kind: variable_declarator
has:
kind: identifier
pattern: $INST
- inside:
stopBy: end
follows:
stopBy: end
kind: import_declaration
any:
- pattern: import javax.*;
- pattern: import javax.crypto;
- pattern: import javax.crypto.Cipher;
- kind: method_invocation
all:
- has:
kind: identifier
nthChild: 1
pattern: $INST
- has:
kind: identifier
nthChild: 2
regex: ^getInstance$
- has:
kind: argument_list
has:
pattern: $AES
nthChild:
position: 1
ofRule:
not:
kind: line_comment
not:
has:
nthChild:
position: 2
ofRule:
not:
kind: line_comment
- inside:
stopBy: end
follows:
stopBy: end
any:
- kind: field_declaration
- kind: local_variable_declaration
all:
- has:
kind: type_identifier
regex: ^Cipher$
- has:
kind: variable_declarator
has:
kind: identifier
pattern: $INST
- inside:
stopBy: end
follows:
stopBy: end
kind: import_declaration
any:
- pattern: import javax.crypto.Cipher;
- pattern: import javax.crypto.*;
not:
has:
stopBy: end
kind: ERROR
constraints:
AES:
kind: string_literal
all:
- has:
kind: string_fragment
regex: ^\s*(AES)\s*$
Loading