From 4208c3d1e1fa874abb6335e4c5b5c574f6fc0bc1 Mon Sep 17 00:00:00 2001 From: ESS-ENN Date: Thu, 5 Sep 2024 16:24:40 +0530 Subject: [PATCH 01/37] insecure-biometrics-swift --- .../security/insecure-biometrics-swift.yml | 18 ++++++++++++++++++ .../insecure-biometrics-swift-snapshot.yml | 9 +++++++++ tests/swift/insecure-biometrics-swift-test.yml | 7 +++++++ 3 files changed, 34 insertions(+) create mode 100644 rules/swift/security/insecure-biometrics-swift.yml create mode 100644 tests/__snapshots__/insecure-biometrics-swift-snapshot.yml create mode 100644 tests/swift/insecure-biometrics-swift-test.yml diff --git a/rules/swift/security/insecure-biometrics-swift.yml b/rules/swift/security/insecure-biometrics-swift.yml new file mode 100644 index 00000000..d1343ba3 --- /dev/null +++ b/rules/swift/security/insecure-biometrics-swift.yml @@ -0,0 +1,18 @@ +id: insecure-biometrics-swift +language: swift +severity: info +message: >- + The application was observed to leverage biometrics via Local + Authentication, which returns a simple boolean result for authentication. + This design is subject to bypass with runtime tampering tools such as + Frida, Substrate, and others. Although this is limited to rooted + (jailbroken) devices, consider implementing biometric authentication the + reliable way - via Keychain Services. +note: >- + [CWE-305] Authentication Bypass by Primary Weakness + [REFERENCES] + - https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06f-testing-local-authentication + - https://shirazkhan030.medium.com/biometric-authentication-in-ios-6c53c54f17df +rule: + pattern: | + $X.evaluatePolicy diff --git a/tests/__snapshots__/insecure-biometrics-swift-snapshot.yml b/tests/__snapshots__/insecure-biometrics-swift-snapshot.yml new file mode 100644 index 00000000..2e7ddc4c --- /dev/null +++ b/tests/__snapshots__/insecure-biometrics-swift-snapshot.yml @@ -0,0 +1,9 @@ +id: insecure-biometrics-swift +snapshots: + ? | + context.evaluatePolicy(.deviceOwnerAuthentication, localizedReason: "Authenticate to the application" + : labels: + - source: context.evaluatePolicy + style: primary + start: 0 + end: 22 diff --git a/tests/swift/insecure-biometrics-swift-test.yml b/tests/swift/insecure-biometrics-swift-test.yml new file mode 100644 index 00000000..fffee11c --- /dev/null +++ b/tests/swift/insecure-biometrics-swift-test.yml @@ -0,0 +1,7 @@ +id: insecure-biometrics-swift +valid: + - | + context.canEvaluatePolicy(.deviceOwnerAuthentication, error: &error) +invalid: + - | + context.evaluatePolicy(.deviceOwnerAuthentication, localizedReason: "Authenticate to the application" From 2d4ea632eadef2bc6d0f7d6415de5f036f8087f7 Mon Sep 17 00:00:00 2001 From: ESS-ENN Date: Thu, 5 Sep 2024 16:25:35 +0530 Subject: [PATCH 02/37] plaintext-http-link-html --- rules/html/security/plaintext-http-link-html.yml | 15 +++++++++++++++ .../plaintext-http-link-html-snapshot.yml | 15 +++++++++++++++ tests/html/plaintext-http-link-html-test.yml | 15 +++++++++++++++ 3 files changed, 45 insertions(+) create mode 100644 rules/html/security/plaintext-http-link-html.yml create mode 100644 tests/__snapshots__/plaintext-http-link-html-snapshot.yml create mode 100644 tests/html/plaintext-http-link-html-test.yml diff --git a/rules/html/security/plaintext-http-link-html.yml b/rules/html/security/plaintext-http-link-html.yml new file mode 100644 index 00000000..8bd2621b --- /dev/null +++ b/rules/html/security/plaintext-http-link-html.yml @@ -0,0 +1,15 @@ +id: plaintext-http-link-html +language: html +severity: info +message: >- + This link points to a plaintext HTTP URL. Prefer an encrypted HTTPS URL + if possible. +note: >- + [CWE-319] Authentication Bypass by Primary Weakness + [REFERENCES] + - https://cwe.mitre.org/data/definitions/319.html +rule: + pattern: $C +constraints: + URL: + regex: ^['"`]?([Hh][Tt][Tt][Pp]://) diff --git a/tests/__snapshots__/plaintext-http-link-html-snapshot.yml b/tests/__snapshots__/plaintext-http-link-html-snapshot.yml new file mode 100644 index 00000000..98516a80 --- /dev/null +++ b/tests/__snapshots__/plaintext-http-link-html-snapshot.yml @@ -0,0 +1,15 @@ +id: plaintext-http-link-html +snapshots: + ? | + Astgrep + Astgrep + Astgrep + Astgrep + Astgrep + Astgrep + Astgrep + : labels: + - source: Astgrep + style: primary + start: 0 + end: 40 diff --git a/tests/html/plaintext-http-link-html-test.yml b/tests/html/plaintext-http-link-html-test.yml new file mode 100644 index 00000000..c73d9bd0 --- /dev/null +++ b/tests/html/plaintext-http-link-html-test.yml @@ -0,0 +1,15 @@ +id: plaintext-http-link-html +valid: + - | + Astgrep + Astgrep + Astgrep +invalid: + - | + Astgrep + Astgrep + Astgrep + Astgrep + Astgrep + Astgrep + Astgrep From 586888d9e1d012792601b938579b9b70975d8a7f Mon Sep 17 00:00:00 2001 From: ESS-ENN Date: Thu, 5 Sep 2024 16:27:08 +0530 Subject: [PATCH 03/37] desede-is-deprecated-java --- .../java/security/desede-is-deprecated-java.yml | 16 ++++++++++++++++ .../desede-is-deprecated-java-snapshot.yml | 10 ++++++++++ tests/java/desede-is-deprecated-java-test.yml | 8 ++++++++ 3 files changed, 34 insertions(+) create mode 100644 rules/java/security/desede-is-deprecated-java.yml create mode 100644 tests/__snapshots__/desede-is-deprecated-java-snapshot.yml create mode 100644 tests/java/desede-is-deprecated-java-test.yml diff --git a/rules/java/security/desede-is-deprecated-java.yml b/rules/java/security/desede-is-deprecated-java.yml new file mode 100644 index 00000000..6db7b4c9 --- /dev/null +++ b/rules/java/security/desede-is-deprecated-java.yml @@ -0,0 +1,16 @@ +id: desede-is-deprecated-java +language: java +severity: warning +message: >- + Triple DES (3DES or DESede) is considered deprecated. AES is the recommended cipher. Upgrade to use AES. +note: >- + [CWE-326]: Inadequate Encryption Strength + [OWASP A03:2017]: Sensitive Data Exposure + [OWASP A02:2021]: Cryptographic Failures + [REFERENCES] + - https://find-sec-bugs.github.io/bugs.htm#TDES_USAGE + - https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA +rule: + any: + - pattern: $CIPHER.getInstance("=~/DESede.*/") + - pattern: $CRYPTO.KeyGenerator.getInstance("DES") diff --git a/tests/__snapshots__/desede-is-deprecated-java-snapshot.yml b/tests/__snapshots__/desede-is-deprecated-java-snapshot.yml new file mode 100644 index 00000000..1b0bc359 --- /dev/null +++ b/tests/__snapshots__/desede-is-deprecated-java-snapshot.yml @@ -0,0 +1,10 @@ +id: desede-is-deprecated-java +snapshots: + ? | + Cipher.getInstance("DESede/ECB/PKCS5Padding"); + javax.crypto.KeyGenerator.getInstance("DES") + : labels: + - source: javax.crypto.KeyGenerator.getInstance("DES") + style: primary + start: 47 + end: 91 diff --git a/tests/java/desede-is-deprecated-java-test.yml b/tests/java/desede-is-deprecated-java-test.yml new file mode 100644 index 00000000..7ae2996e --- /dev/null +++ b/tests/java/desede-is-deprecated-java-test.yml @@ -0,0 +1,8 @@ +id: desede-is-deprecated-java +valid: + - | + Cipher.getInstance("AES/GCM/NoPadding"); +invalid: + - | + Cipher.getInstance("DESede/ECB/PKCS5Padding"); + javax.crypto.KeyGenerator.getInstance("DES") From 9015c0917df2d75372f9f707c33d31479bda3d6d Mon Sep 17 00:00:00 2001 From: ESS-ENN Date: Thu, 5 Sep 2024 16:27:55 +0530 Subject: [PATCH 04/37] desede-is-deprecated-kotlin --- .../security/desede-is-deprecated-kotlin.yml | 16 ++++++++++++++++ .../desede-is-deprecated-kotlin-snapshot.yml | 10 ++++++++++ .../kotlin/desede-is-deprecated-kotlin-test.yml | 8 ++++++++ 3 files changed, 34 insertions(+) create mode 100644 rules/kotlin/security/desede-is-deprecated-kotlin.yml create mode 100644 tests/__snapshots__/desede-is-deprecated-kotlin-snapshot.yml create mode 100644 tests/kotlin/desede-is-deprecated-kotlin-test.yml diff --git a/rules/kotlin/security/desede-is-deprecated-kotlin.yml b/rules/kotlin/security/desede-is-deprecated-kotlin.yml new file mode 100644 index 00000000..f0a7351a --- /dev/null +++ b/rules/kotlin/security/desede-is-deprecated-kotlin.yml @@ -0,0 +1,16 @@ +id: desede-is-deprecated-kotlin +language: kotlin +severity: warning +message: >- + Triple DES (3DES or DESede) is considered deprecated. AES is the recommended cipher. Upgrade to use AES. +note: >- + [CWE-326]: Inadequate Encryption Strength + [OWASP A03:2017]: Sensitive Data Exposure + [OWASP A02:2021]: Cryptographic Failures + [REFERENCES] + - https://find-sec-bugs.github.io/bugs.htm#TDES_USAGE + - https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA +rule: + any: + - pattern: $CIPHER.getInstance("=~/DESede.*/") + - pattern: $CRYPTO.KeyGenerator.getInstance("DES") diff --git a/tests/__snapshots__/desede-is-deprecated-kotlin-snapshot.yml b/tests/__snapshots__/desede-is-deprecated-kotlin-snapshot.yml new file mode 100644 index 00000000..7eb1119d --- /dev/null +++ b/tests/__snapshots__/desede-is-deprecated-kotlin-snapshot.yml @@ -0,0 +1,10 @@ +id: desede-is-deprecated-kotlin +snapshots: + ? | + Cipher.getInstance("DESede/ECB/PKCS5Padding"); + javax.crypto.KeyGenerator.getInstance("DES") + : labels: + - source: javax.crypto.KeyGenerator.getInstance("DES") + style: primary + start: 47 + end: 91 diff --git a/tests/kotlin/desede-is-deprecated-kotlin-test.yml b/tests/kotlin/desede-is-deprecated-kotlin-test.yml new file mode 100644 index 00000000..c3d2e28e --- /dev/null +++ b/tests/kotlin/desede-is-deprecated-kotlin-test.yml @@ -0,0 +1,8 @@ +id: desede-is-deprecated-kotlin +valid: + - | + Cipher.getInstance("AES/GCM/NoPadding"); +invalid: + - | + Cipher.getInstance("DESede/ECB/PKCS5Padding"); + javax.crypto.KeyGenerator.getInstance("DES") From 68be70d5f4b91fd7f3c06bcb926535ab4822c6a2 Mon Sep 17 00:00:00 2001 From: ESS-ENN Date: Thu, 5 Sep 2024 16:28:55 +0530 Subject: [PATCH 05/37] sizeof-this-c --- rules/c/security/sizeof-this-c.yml | 13 +++++++++++++ tests/__snapshots__/sizeof-this-c-snapshot.yml | 9 +++++++++ tests/c/sizeof-this-c-test.yml | 7 +++++++ 3 files changed, 29 insertions(+) create mode 100644 rules/c/security/sizeof-this-c.yml create mode 100644 tests/__snapshots__/sizeof-this-c-snapshot.yml create mode 100644 tests/c/sizeof-this-c-test.yml diff --git a/rules/c/security/sizeof-this-c.yml b/rules/c/security/sizeof-this-c.yml new file mode 100644 index 00000000..bb024aa2 --- /dev/null +++ b/rules/c/security/sizeof-this-c.yml @@ -0,0 +1,13 @@ +id: sizeof-this-c +language: c +severity: warning +message: >- + Do not use `sizeof(this)` to get the number of bytes of the object in + memory. It returns the size of the pointer, not the size of the object. +note: >- + [CWE-467]: Use of sizeof() on a Pointer Type + [REFERENCES] + - https://wiki.sei.cmu.edu/confluence/display/c/ARR01-C.+Do+not+apply+the+sizeof+operator+to+a+pointer+when+taking+the+size+of+an+array +rule: + any: + - pattern: "sizeof(this)" diff --git a/tests/__snapshots__/sizeof-this-c-snapshot.yml b/tests/__snapshots__/sizeof-this-c-snapshot.yml new file mode 100644 index 00000000..e8db9995 --- /dev/null +++ b/tests/__snapshots__/sizeof-this-c-snapshot.yml @@ -0,0 +1,9 @@ +id: sizeof-this-c +snapshots: + ? | + return sizeof(this); + : labels: + - source: sizeof(this) + style: primary + start: 7 + end: 19 diff --git a/tests/c/sizeof-this-c-test.yml b/tests/c/sizeof-this-c-test.yml new file mode 100644 index 00000000..f9be53fb --- /dev/null +++ b/tests/c/sizeof-this-c-test.yml @@ -0,0 +1,7 @@ +id: sizeof-this-c +valid: + - | + return sizeof(*this); +invalid: + - | + return sizeof(this); From 3d453a8cea3d639df351116f408063f023c4c72c Mon Sep 17 00:00:00 2001 From: ESS-ENN Date: Thu, 5 Sep 2024 17:05:05 +0530 Subject: [PATCH 06/37] cbc-padding-oracle-java --- rules/java/security/cbc-padding-oracle-java.yml | 17 +++++++++++++++++ rules/java/security/cbc-padding-oracle.yml | 16 ---------------- .../cbc-padding-oracle-java-snapshot.yml | 8 ++++++++ tests/java/cbc-padding-oracle-java-test.yml | 7 +++++++ tests/java/cbc-padding-oracle-test.yml | 11 ----------- 5 files changed, 32 insertions(+), 27 deletions(-) create mode 100644 rules/java/security/cbc-padding-oracle-java.yml delete mode 100644 rules/java/security/cbc-padding-oracle.yml create mode 100644 tests/__snapshots__/cbc-padding-oracle-java-snapshot.yml create mode 100644 tests/java/cbc-padding-oracle-java-test.yml delete mode 100644 tests/java/cbc-padding-oracle-test.yml diff --git a/rules/java/security/cbc-padding-oracle-java.yml b/rules/java/security/cbc-padding-oracle-java.yml new file mode 100644 index 00000000..7e3e6c4c --- /dev/null +++ b/rules/java/security/cbc-padding-oracle-java.yml @@ -0,0 +1,17 @@ +id: cbc-padding-oracle-java +severity: warning +language: java +message: >- + Using CBC with PKCS5Padding is susceptible to padding oracle attacks. A + malicious actor could discern the difference between plaintext with valid + or invalid padding. Further, CBC mode does not include any integrity + checks. Use 'AES/GCM/NoPadding' instead. +note: >- + [CWE-327] Use of a Broken or Risky Cryptographic Algorithm. + [REFERENCES] + - https://capec.mitre.org/data/definitions/463.html +rule: + pattern: Cipher.getInstance($MODE) +constraints: + MODE: + regex: '.*/CBC/PKCS5Padding' \ No newline at end of file diff --git a/rules/java/security/cbc-padding-oracle.yml b/rules/java/security/cbc-padding-oracle.yml deleted file mode 100644 index 0cb62145..00000000 --- a/rules/java/security/cbc-padding-oracle.yml +++ /dev/null @@ -1,16 +0,0 @@ -id: cbd-padding-oracle -severity: warning -language: java -message: >- - Using CBC with PKCS5Padding is susceptible to padding oracle attacks. - Use a secure mode of operation like GCM or CCM instead. -note: >- - [CWE-327]: Use of a Broken or Risky Cryptographic Algorithm - [OWASP A03:2017]: Sensitive Data Exposure - [OWASP A02:2021]: Cryptographic Failures - [REFERENCES] - - https://capec.mitre.org/data/definitions/463.html - - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#cipher-modes - - https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY -rule: - pattern: Cipher.getInstance("AES/CBC/PKCS5Padding") \ No newline at end of file diff --git a/tests/__snapshots__/cbc-padding-oracle-java-snapshot.yml b/tests/__snapshots__/cbc-padding-oracle-java-snapshot.yml new file mode 100644 index 00000000..fec2a659 --- /dev/null +++ b/tests/__snapshots__/cbc-padding-oracle-java-snapshot.yml @@ -0,0 +1,8 @@ +id: cbc-padding-oracle-java +snapshots: + Cipher.getInstance("AES/CBC/PKCS5Padding");: + labels: + - source: Cipher.getInstance("AES/CBC/PKCS5Padding") + style: primary + start: 0 + end: 42 diff --git a/tests/java/cbc-padding-oracle-java-test.yml b/tests/java/cbc-padding-oracle-java-test.yml new file mode 100644 index 00000000..b54e956d --- /dev/null +++ b/tests/java/cbc-padding-oracle-java-test.yml @@ -0,0 +1,7 @@ +id: cbc-padding-oracle-java +valid: + - | + Cipher.getInstance("AES/GCM/NoPadding"); +invalid: + - | + Cipher.getInstance("AES/CBC/PKCS5Padding"); \ No newline at end of file diff --git a/tests/java/cbc-padding-oracle-test.yml b/tests/java/cbc-padding-oracle-test.yml deleted file mode 100644 index 2085aa72..00000000 --- a/tests/java/cbc-padding-oracle-test.yml +++ /dev/null @@ -1,11 +0,0 @@ -id: cbc-padding-oracle -valid: - - | - Cipher c = Cipher.getInstance("AES/GCM/NoPadding"); - c.init(Cipher.ENCRYPT_MODE, k, iv); - byte[] cipherText = c.doFinal(plainText); -invalid: - - | - Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); - IvParameterSpec iv = new IvParameterSpec(new byte[16]); - cipher.init(Cipher.DECRYPT_MODE, new SecretKeySpec(new byte[16], "AES"), iv); \ No newline at end of file From e7b4680ecd928296e4d4d405aea7a4dbffd952bb Mon Sep 17 00:00:00 2001 From: ESS-ENN Date: Thu, 5 Sep 2024 17:05:48 +0530 Subject: [PATCH 07/37] no-null-cipher-java --- rules/c/security/no-null-cipher-java.yml | 17 +++++++++++++++++ .../no-null-cipher-java-snapshot.yml | 10 ++++++++++ tests/java/no-null-cipher-java-test.yml | 8 ++++++++ 3 files changed, 35 insertions(+) create mode 100644 rules/c/security/no-null-cipher-java.yml create mode 100644 tests/__snapshots__/no-null-cipher-java-snapshot.yml create mode 100644 tests/java/no-null-cipher-java-test.yml diff --git a/rules/c/security/no-null-cipher-java.yml b/rules/c/security/no-null-cipher-java.yml new file mode 100644 index 00000000..c5446677 --- /dev/null +++ b/rules/c/security/no-null-cipher-java.yml @@ -0,0 +1,17 @@ +id: no-null-cipher-java +severity: warning +language: java +message: >- + NullCipher was detected. This will not encrypt anything; the cipher + text will be the same as the plain text. Use a valid, secure cipher: + Cipher.getInstance("AES/CBC/PKCS7PADDING"). See + https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions + for more information. +note: >- + [CWE-327] Use of a Broken or Risky Cryptographic Algorithm. + [REFERENCES] + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures +rule: + any: + - pattern: new NullCipher($$$) + - pattern: new javax.crypto.NullCipher($$$) \ No newline at end of file diff --git a/tests/__snapshots__/no-null-cipher-java-snapshot.yml b/tests/__snapshots__/no-null-cipher-java-snapshot.yml new file mode 100644 index 00000000..7c9b2e87 --- /dev/null +++ b/tests/__snapshots__/no-null-cipher-java-snapshot.yml @@ -0,0 +1,10 @@ +id: no-null-cipher-java +snapshots: + ? |- + Cipher doNothingCihper = new NullCipher(); + new javax.crypto.NullCipher(); + : labels: + - source: new NullCipher() + style: primary + start: 25 + end: 41 diff --git a/tests/java/no-null-cipher-java-test.yml b/tests/java/no-null-cipher-java-test.yml new file mode 100644 index 00000000..a80b1e81 --- /dev/null +++ b/tests/java/no-null-cipher-java-test.yml @@ -0,0 +1,8 @@ +id: no-null-cipher-java +valid: + - | + Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); +invalid: + - | + Cipher doNothingCihper = new NullCipher(); + new javax.crypto.NullCipher(); \ No newline at end of file From 1ba2958fb3c3848e60788d125a268566d8810c30 Mon Sep 17 00:00:00 2001 From: ESS-ENN Date: Thu, 5 Sep 2024 17:06:33 +0530 Subject: [PATCH 08/37] rsa-no-padding-java --- rules/java/security/rsa-no-padding-java.yml | 14 ++++++++++++++ .../__snapshots__/rsa-no-padding-java-snapshot.yml | 10 ++++++++++ tests/java/rsa-no-padding-java-test.yml | 8 ++++++++ 3 files changed, 32 insertions(+) create mode 100644 rules/java/security/rsa-no-padding-java.yml create mode 100644 tests/__snapshots__/rsa-no-padding-java-snapshot.yml create mode 100644 tests/java/rsa-no-padding-java-test.yml diff --git a/rules/java/security/rsa-no-padding-java.yml b/rules/java/security/rsa-no-padding-java.yml new file mode 100644 index 00000000..59e1f821 --- /dev/null +++ b/rules/java/security/rsa-no-padding-java.yml @@ -0,0 +1,14 @@ +id: rsa-no-padding-java +severity: warning +language: java +message: >- + Using RSA without OAEP mode weakens the encryption. +note: >- + [CWE-326] Inadequate Encryption Strength + [REFERENCES] + - https://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/ +rule: + pattern: $YST.getInstance($MODE) +constraints: + MODE: + regex: 'RSA/[Nn][Oo][Nn][Ee]/NoPadding' \ No newline at end of file diff --git a/tests/__snapshots__/rsa-no-padding-java-snapshot.yml b/tests/__snapshots__/rsa-no-padding-java-snapshot.yml new file mode 100644 index 00000000..ce8cc115 --- /dev/null +++ b/tests/__snapshots__/rsa-no-padding-java-snapshot.yml @@ -0,0 +1,10 @@ +id: rsa-no-padding-java +snapshots: + ? |- + Cipher.getInstance("RSA/None/NoPadding"); + Cipher.getInstance("RSA/NONE/NoPadding"); + : labels: + - source: Cipher.getInstance("RSA/None/NoPadding") + style: primary + start: 0 + end: 40 diff --git a/tests/java/rsa-no-padding-java-test.yml b/tests/java/rsa-no-padding-java-test.yml new file mode 100644 index 00000000..ec99d9b2 --- /dev/null +++ b/tests/java/rsa-no-padding-java-test.yml @@ -0,0 +1,8 @@ +id: rsa-no-padding-java +valid: + - | + Cipher.getInstance("RSA/ECB/OAEPWithMD5AndMGF1Padding"); +invalid: + - | + Cipher.getInstance("RSA/None/NoPadding"); + Cipher.getInstance("RSA/NONE/NoPadding"); \ No newline at end of file From f182a4b6eddd70ff40c0bc4f4c669a21a903afbc Mon Sep 17 00:00:00 2001 From: ESS-ENN Date: Thu, 5 Sep 2024 17:07:25 +0530 Subject: [PATCH 09/37] changed folder position of no-null-cipher-java --- rules/{c => java}/security/no-null-cipher-java.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/{c => java}/security/no-null-cipher-java.yml (100%) diff --git a/rules/c/security/no-null-cipher-java.yml b/rules/java/security/no-null-cipher-java.yml similarity index 100% rename from rules/c/security/no-null-cipher-java.yml rename to rules/java/security/no-null-cipher-java.yml From ac0edaa48fcccbf9f9307214dd6d767816bb6b94 Mon Sep 17 00:00:00 2001 From: ESS-ENN Date: Thu, 5 Sep 2024 17:08:47 +0530 Subject: [PATCH 10/37] rsa-padding-set-scala --- rules/scala/security/rsa-padding-set-scala.yml | 15 +++++++++++++++ .../rsa-padding-set-scala-snapshot.yml | 8 ++++++++ tests/scala/rsa-padding-set-scala-test.yml | 9 +++++++++ 3 files changed, 32 insertions(+) create mode 100644 rules/scala/security/rsa-padding-set-scala.yml create mode 100644 tests/__snapshots__/rsa-padding-set-scala-snapshot.yml create mode 100644 tests/scala/rsa-padding-set-scala-test.yml diff --git a/rules/scala/security/rsa-padding-set-scala.yml b/rules/scala/security/rsa-padding-set-scala.yml new file mode 100644 index 00000000..f5e00d0f --- /dev/null +++ b/rules/scala/security/rsa-padding-set-scala.yml @@ -0,0 +1,15 @@ +id: rsa-padding-set-scala +language: scala +severity: warning +message: >- + Usage of RSA without OAEP (Optimal Asymmetric Encryption Padding) may. +note: >- + [CWE-780] Use of RSA Algorithm without OAEP + [REFERENCES] + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures +rule: + any: + - pattern: $CIPHER.getInstance($MODE) +constraints: + MODE: + regex: '.*RSA/.*/NoPadding.*' \ No newline at end of file diff --git a/tests/__snapshots__/rsa-padding-set-scala-snapshot.yml b/tests/__snapshots__/rsa-padding-set-scala-snapshot.yml new file mode 100644 index 00000000..749644a0 --- /dev/null +++ b/tests/__snapshots__/rsa-padding-set-scala-snapshot.yml @@ -0,0 +1,8 @@ +id: rsa-padding-set-scala +snapshots: + Cipher.getInstance("RSA/ECB/NoPadding"): + labels: + - source: Cipher.getInstance("RSA/ECB/NoPadding") + style: primary + start: 0 + end: 39 diff --git a/tests/scala/rsa-padding-set-scala-test.yml b/tests/scala/rsa-padding-set-scala-test.yml new file mode 100644 index 00000000..fe203ab8 --- /dev/null +++ b/tests/scala/rsa-padding-set-scala-test.yml @@ -0,0 +1,9 @@ +id: rsa-padding-set-scala +valid: + - | + Cipher.getInstance("AES/CBC/PKCS5Padding"); + Cipher.getInstance("DES/ECB/PKCS5Padding"); + Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); +invalid: + - | + Cipher.getInstance("RSA/ECB/NoPadding") \ No newline at end of file From 650b88b981960a16606708659e4902869d226d5a Mon Sep 17 00:00:00 2001 From: ESS-ENN Date: Thu, 5 Sep 2024 17:09:27 +0530 Subject: [PATCH 11/37] xmlinputfactory-dtd-enabled-scala --- .../xmlinputfactory-dtd-enabled-scala.yml | 25 +++++++++++++++++++ ...nputfactory-dtd-enabled-scala-snapshot.yml | 11 ++++++++ ...xmlinputfactory-dtd-enabled-scala-test.yml | 11 ++++++++ 3 files changed, 47 insertions(+) create mode 100644 rules/scala/security/xmlinputfactory-dtd-enabled-scala.yml create mode 100644 tests/__snapshots__/xmlinputfactory-dtd-enabled-scala-snapshot.yml create mode 100644 tests/scala/xmlinputfactory-dtd-enabled-scala-test.yml diff --git a/rules/scala/security/xmlinputfactory-dtd-enabled-scala.yml b/rules/scala/security/xmlinputfactory-dtd-enabled-scala.yml new file mode 100644 index 00000000..cb4d4ce4 --- /dev/null +++ b/rules/scala/security/xmlinputfactory-dtd-enabled-scala.yml @@ -0,0 +1,25 @@ +id: xmlinputfactory-dtd-enabled-scala +language: scala +severity: warning +message: >- + XMLInputFactory being instantiated without calling the setProperty + functions that are generally used for disabling entity processing. User + controlled data in XML Document builder can result in XML Internal Entity + Processing vulnerabilities like the disclosure of confidential data, + denial of service, Server Side Request Forgery (SSRF), port scanning. Make + sure to disable entity processing functionality. +note: >- + [CWE-611] Improper Restriction of XML External Entity. + [REFERENCES] + - https://owasp.org/Top10/A05_2021-Security_Misconfiguration +rule: + any: + - pattern: XMLInputFactory.newFactory($$$) + - pattern: XMLInputFactory.newInstance($$$) + - pattern: new XMLInputFactory($$$) +precedes: + not: + pattern: $XMLFACTORY.setProperty($MODE, false) +constraints: + MODE: + regex: 'javax.xml.stream.isSupportingExternalEntities' \ No newline at end of file diff --git a/tests/__snapshots__/xmlinputfactory-dtd-enabled-scala-snapshot.yml b/tests/__snapshots__/xmlinputfactory-dtd-enabled-scala-snapshot.yml new file mode 100644 index 00000000..6a8392b4 --- /dev/null +++ b/tests/__snapshots__/xmlinputfactory-dtd-enabled-scala-snapshot.yml @@ -0,0 +1,11 @@ +id: xmlinputfactory-dtd-enabled-scala +snapshots: + ? |- + val factory = XMLInputFactory.newFactory() + val fileReader = new FileReader(file) + val fileReader = new FileReader(file) + : labels: + - source: XMLInputFactory.newFactory() + style: primary + start: 14 + end: 42 diff --git a/tests/scala/xmlinputfactory-dtd-enabled-scala-test.yml b/tests/scala/xmlinputfactory-dtd-enabled-scala-test.yml new file mode 100644 index 00000000..ab78f6be --- /dev/null +++ b/tests/scala/xmlinputfactory-dtd-enabled-scala-test.yml @@ -0,0 +1,11 @@ +id: xmlinputfactory-dtd-enabled-scala +valid: + - | + val factory = XMLInputFactory.newInstance + factory.setProperty("javax.xml.stream.isSupportingExternalEntities", false) + val fileReader = new FileReader(file) +invalid: + - | + val factory = XMLInputFactory.newFactory() + val fileReader = new FileReader(file) + val fileReader = new FileReader(file) \ No newline at end of file From b0c6e4e3fafbc01aeb66f3f9263d1947a07922b8 Mon Sep 17 00:00:00 2001 From: ESS-ENN Date: Fri, 6 Sep 2024 18:36:25 +0530 Subject: [PATCH 12/37] Incorporated changes suggested by CodeRabbit Bot --- rules/html/security/plaintext-http-link-html.yml | 5 ++--- rules/java/security/cbc-padding-oracle-java.yml | 4 ++-- rules/java/security/no-null-cipher-java.yml | 16 ++++++++-------- rules/java/security/rsa-no-padding-java.yml | 4 ++-- rules/scala/security/rsa-padding-set-scala.yml | 11 +++++++---- .../swift/security/insecure-biometrics-swift.yml | 5 +++-- 6 files changed, 24 insertions(+), 21 deletions(-) diff --git a/rules/html/security/plaintext-http-link-html.yml b/rules/html/security/plaintext-http-link-html.yml index 8bd2621b..0e0dbfb7 100644 --- a/rules/html/security/plaintext-http-link-html.yml +++ b/rules/html/security/plaintext-http-link-html.yml @@ -1,9 +1,8 @@ id: plaintext-http-link-html language: html -severity: info +severity: warning message: >- - This link points to a plaintext HTTP URL. Prefer an encrypted HTTPS URL - if possible. + "This link points to a plaintext HTTP URL. Prefer an encrypted HTTPS URL if possible." note: >- [CWE-319] Authentication Bypass by Primary Weakness [REFERENCES] diff --git a/rules/java/security/cbc-padding-oracle-java.yml b/rules/java/security/cbc-padding-oracle-java.yml index 7e3e6c4c..78f11cef 100644 --- a/rules/java/security/cbc-padding-oracle-java.yml +++ b/rules/java/security/cbc-padding-oracle-java.yml @@ -13,5 +13,5 @@ note: >- rule: pattern: Cipher.getInstance($MODE) constraints: - MODE: - regex: '.*/CBC/PKCS5Padding' \ No newline at end of file + MODE: + regex: ".*/CBC/PKCS5Padding" diff --git a/rules/java/security/no-null-cipher-java.yml b/rules/java/security/no-null-cipher-java.yml index c5446677..b5eee11a 100644 --- a/rules/java/security/no-null-cipher-java.yml +++ b/rules/java/security/no-null-cipher-java.yml @@ -2,16 +2,16 @@ id: no-null-cipher-java severity: warning language: java message: >- - NullCipher was detected. This will not encrypt anything; the cipher - text will be the same as the plain text. Use a valid, secure cipher: - Cipher.getInstance("AES/CBC/PKCS7PADDING"). See - https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions - for more information. + NullCipher was detected. This will not encrypt anything; the cipher + text will be the same as the plain text. Use a valid, secure cipher: + Cipher.getInstance("AES/CBC/PKCS7PADDING"). See + https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions + for more information. note: >- [CWE-327] Use of a Broken or Risky Cryptographic Algorithm. [REFERENCES] - https://owasp.org/Top10/A02_2021-Cryptographic_Failures rule: - any: - - pattern: new NullCipher($$$) - - pattern: new javax.crypto.NullCipher($$$) \ No newline at end of file + any: + - pattern: new NullCipher($$$) + - pattern: new javax.crypto.NullCipher($$$) diff --git a/rules/java/security/rsa-no-padding-java.yml b/rules/java/security/rsa-no-padding-java.yml index 59e1f821..c9466216 100644 --- a/rules/java/security/rsa-no-padding-java.yml +++ b/rules/java/security/rsa-no-padding-java.yml @@ -10,5 +10,5 @@ note: >- rule: pattern: $YST.getInstance($MODE) constraints: - MODE: - regex: 'RSA/[Nn][Oo][Nn][Ee]/NoPadding' \ No newline at end of file + MODE: + regex: "RSA/[Nn][Oo][Nn][Ee]/NoPadding" diff --git a/rules/scala/security/rsa-padding-set-scala.yml b/rules/scala/security/rsa-padding-set-scala.yml index f5e00d0f..b4601500 100644 --- a/rules/scala/security/rsa-padding-set-scala.yml +++ b/rules/scala/security/rsa-padding-set-scala.yml @@ -2,14 +2,17 @@ id: rsa-padding-set-scala language: scala severity: warning message: >- - Usage of RSA without OAEP (Optimal Asymmetric Encryption Padding) may. + Usage of RSA without OAEP (Optimal Asymmetric Encryption Padding) may + weaken encryption. This could lead to sensitive data exposure. Instead, + use RSA with `OAEPWithMD5AndMGF1Padding` instead. + note: >- [CWE-780] Use of RSA Algorithm without OAEP [REFERENCES] - https://owasp.org/Top10/A02_2021-Cryptographic_Failures rule: any: - - pattern: $CIPHER.getInstance($MODE) + - pattern: $CIPHER.getInstance($MODE) constraints: - MODE: - regex: '.*RSA/.*/NoPadding.*' \ No newline at end of file + MODE: + regex: ".*RSA/.*/NoPadding.*" diff --git a/rules/swift/security/insecure-biometrics-swift.yml b/rules/swift/security/insecure-biometrics-swift.yml index d1343ba3..8ea5a821 100644 --- a/rules/swift/security/insecure-biometrics-swift.yml +++ b/rules/swift/security/insecure-biometrics-swift.yml @@ -14,5 +14,6 @@ note: >- - https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06f-testing-local-authentication - https://shirazkhan030.medium.com/biometric-authentication-in-ios-6c53c54f17df rule: - pattern: | - $X.evaluatePolicy + any: + - pattern: LAContext.evaluatePolicy + - pattern: $X.evaluatePolicy From bd0bc1dcd7cdb90cb47cea0b142aae93929af95e Mon Sep 17 00:00:00 2001 From: ESS-ENN Date: Fri, 6 Sep 2024 18:44:36 +0530 Subject: [PATCH 13/37] httponly-false-csharp --- .../csharp/security/httponly-false-csharp.yml | 25 +++++++++++++++++++ .../httponly-false-csharp-snapshot.yml | 16 ++++++++++++ tests/csharp/httponly-false-csharp-test.yml | 11 ++++++++ 3 files changed, 52 insertions(+) create mode 100644 rules/csharp/security/httponly-false-csharp.yml create mode 100644 tests/__snapshots__/httponly-false-csharp-snapshot.yml create mode 100644 tests/csharp/httponly-false-csharp-test.yml diff --git a/rules/csharp/security/httponly-false-csharp.yml b/rules/csharp/security/httponly-false-csharp.yml new file mode 100644 index 00000000..3b0cb416 --- /dev/null +++ b/rules/csharp/security/httponly-false-csharp.yml @@ -0,0 +1,25 @@ +id: httponly-false-csharp +language: csharp +severity: info +message: >- + "Detected a cookie where the `HttpOnly` flag is either missing or + disabled. The `HttpOnly` cookie flag instructs the browser to forbid + client-side JavaScript to read the cookie. If JavaScript interaction is + required, you can ignore this finding. However, set the `HttpOnly` flag to + `true` in all other cases. If this wasn't intentional, it's recommended to + set the HttpOnly flag to true so the cookie will not be accessible through + client-side scripts or to use the Cookie Policy Middleware to globally set + the HttpOnly flag. You can then use the CookieOptions class when + instantiating the cookie, which inherits these settings and will require + future developers to have to explicitly override them on a case-by-case + basis if needed. This approach ensures cookies are secure by default." +note: >- + [CWE-1004] Sensitive Cookie Without 'HttpOnly' Flag" + [REFERENCES] + - https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-8.0#cookie-policy-middleware + - https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions + - https://owasp.org/Top10/A05_2021-Security_Misconfiguration +rule: + any: + - pattern: $BUILDER.Cookie.HttpOnly = false; + - pattern: $COOKIE.HttpOnly = false; diff --git a/tests/__snapshots__/httponly-false-csharp-snapshot.yml b/tests/__snapshots__/httponly-false-csharp-snapshot.yml new file mode 100644 index 00000000..4ec18734 --- /dev/null +++ b/tests/__snapshots__/httponly-false-csharp-snapshot.yml @@ -0,0 +1,16 @@ +id: httponly-false-csharp +snapshots: + ? | + myHttpOnlyCookie.HttpOnly = false; + : labels: + - source: myHttpOnlyCookie.HttpOnly = false; + style: primary + start: 0 + end: 34 + ? | + options.Cookie.HttpOnly = false; + : labels: + - source: options.Cookie.HttpOnly = false; + style: primary + start: 0 + end: 32 diff --git a/tests/csharp/httponly-false-csharp-test.yml b/tests/csharp/httponly-false-csharp-test.yml new file mode 100644 index 00000000..92062f04 --- /dev/null +++ b/tests/csharp/httponly-false-csharp-test.yml @@ -0,0 +1,11 @@ +id: httponly-false-csharp +valid: + - | + myHttpOnlyCookie.HttpOnly = true; + - | + options.Cookie.HttpOnly = true; +invalid: + - | + myHttpOnlyCookie.HttpOnly = false; + - | + options.Cookie.HttpOnly = false; From 5507b0abd522cfd7e14398b5d51cb3f02ddceea8 Mon Sep 17 00:00:00 2001 From: ESS-ENN Date: Fri, 6 Sep 2024 18:45:32 +0530 Subject: [PATCH 14/37] reqwest-accept-invalid-rust --- .../security/reqwest-accept-invalid-rust.yml | 17 +++++++++++ .../reqwest-accept-invalid-rust-snapshot.yml | 30 +++++++++++++++++++ .../rust/reqwest-accept-invalid-rust-test.yml | 13 ++++++++ 3 files changed, 60 insertions(+) create mode 100644 rules/rust/security/reqwest-accept-invalid-rust.yml create mode 100644 tests/__snapshots__/reqwest-accept-invalid-rust-snapshot.yml create mode 100644 tests/rust/reqwest-accept-invalid-rust-test.yml diff --git a/rules/rust/security/reqwest-accept-invalid-rust.yml b/rules/rust/security/reqwest-accept-invalid-rust.yml new file mode 100644 index 00000000..27fc9d8b --- /dev/null +++ b/rules/rust/security/reqwest-accept-invalid-rust.yml @@ -0,0 +1,17 @@ +id: reqwest-accept-invalid-rust +language: rust +severity: warning +message: >- + Dangerously accepting invalid TLS +note: >- + [CWE-295]: Improper Certificate + [REFERENCES] + - https://docs.rs/reqwest/latest/reqwest/struct.ClientBuilder.html#method.danger_accept_invalid_hostnames + - https://docs.rs/reqwest/latest/reqwest/struct.ClientBuilder.html#method.danger_accept_invalid_certs +rule: + any: + - pattern: $CLIENT.danger_accept_invalid_hostnames(true) + - pattern: $CLIENT.danger_accept_invalid_certs(true) +constraints: + CLIENT: + regex: '^reqwest::Client::builder\(\)' diff --git a/tests/__snapshots__/reqwest-accept-invalid-rust-snapshot.yml b/tests/__snapshots__/reqwest-accept-invalid-rust-snapshot.yml new file mode 100644 index 00000000..cb1eeac4 --- /dev/null +++ b/tests/__snapshots__/reqwest-accept-invalid-rust-snapshot.yml @@ -0,0 +1,30 @@ +id: reqwest-accept-invalid-rust +snapshots: + ? | + reqwest::Client::builder().danger_accept_invalid_certs(true) + : labels: + - source: reqwest::Client::builder().danger_accept_invalid_certs(true) + style: primary + start: 0 + end: 60 + ? | + reqwest::Client::builder().danger_accept_invalid_hostnames(true) + : labels: + - source: reqwest::Client::builder().danger_accept_invalid_hostnames(true) + style: primary + start: 0 + end: 64 + ? | + reqwest::Client::builder().user_agent("USER AGENT").cookie_store(true).danger_accept_invalid_certs(true) + : labels: + - source: reqwest::Client::builder().user_agent("USER AGENT").cookie_store(true).danger_accept_invalid_certs(true) + style: primary + start: 0 + end: 104 + ? | + reqwest::Client::builder().user_agent("USER AGENT").cookie_store(true).danger_accept_invalid_hostnames(true) + : labels: + - source: reqwest::Client::builder().user_agent("USER AGENT").cookie_store(true).danger_accept_invalid_hostnames(true) + style: primary + start: 0 + end: 108 diff --git a/tests/rust/reqwest-accept-invalid-rust-test.yml b/tests/rust/reqwest-accept-invalid-rust-test.yml new file mode 100644 index 00000000..894c5cec --- /dev/null +++ b/tests/rust/reqwest-accept-invalid-rust-test.yml @@ -0,0 +1,13 @@ +id: reqwest-accept-invalid-rust +valid: + - | + reqwest::Client::builder().user_agent("USER AGENT") +invalid: + - | + reqwest::Client::builder().danger_accept_invalid_hostnames(true) + - | + reqwest::Client::builder().danger_accept_invalid_certs(true) + - | + reqwest::Client::builder().user_agent("USER AGENT").cookie_store(true).danger_accept_invalid_hostnames(true) + - | + reqwest::Client::builder().user_agent("USER AGENT").cookie_store(true).danger_accept_invalid_certs(true) From 456f4319a2b11e410ebc5472d34854a59891e278 Mon Sep 17 00:00:00 2001 From: ESS-ENN Date: Fri, 6 Sep 2024 18:46:36 +0530 Subject: [PATCH 15/37] libxml2-audit-parser-c --- rules/c/security/libxml2-audit-parser-c.yml | 25 +++++++++++++++++++ .../libxml2-audit-parser-c-snapshot.yml | 12 +++++++++ tests/c/libxml2-audit-parser-c-test.yml | 8 ++++++ 3 files changed, 45 insertions(+) create mode 100644 rules/c/security/libxml2-audit-parser-c.yml create mode 100644 tests/__snapshots__/libxml2-audit-parser-c-snapshot.yml create mode 100644 tests/c/libxml2-audit-parser-c-test.yml diff --git a/rules/c/security/libxml2-audit-parser-c.yml b/rules/c/security/libxml2-audit-parser-c.yml new file mode 100644 index 00000000..f6bca182 --- /dev/null +++ b/rules/c/security/libxml2-audit-parser-c.yml @@ -0,0 +1,25 @@ +id: libxml2-audit-parser-c +language: c +severity: info +message: >- + The libxml2 library is used to parse XML. When auditing such code, make + sure that either the document being parsed is trusted or that the parsing + options are safe to consume untrusted documents. In such case make sure + DTD or XInclude documents cannot be loaded and there is no network access. +note: >- + [CWE-611] Improper Restriction of XML External Entity Reference. + [REFERENCES] + - https://owasp.org/Top10/A05_2021-Security_Misconfiguration +rule: + any: + - pattern: xmlParseInNodeContext($CUR, $SRC, $DATALEN, $XML_OPTIONS, $LST) + - pattern: xmlReadDoc($CUR, $SRC, $ENC, $XML_OPTIONS) + - pattern: xmlReadFd($FD, $SRC, $ENC, $XML_OPTIONS) + - pattern: xmlReadFile($SRC, $ENC, $XML_OPTIONS) + - pattern: xmlReadIO($IO_READ, $IO_CLOSE, $IO_CTX, $SRC, $ENC, $XML_OPTIONS) + - pattern: xmlReadMemory($SRC, $SIZE, $URL, $ENC, $XML_OPTIONS) + - pattern: xmlCtxtReadDoc($CTX, $CUR, $SRC, $ENC, $XML_OPTIONS) + - pattern: xmlCtxtReadFd($CTX, $FD, $SRC, $ENC, $XML_OPTIONS) + - pattern: xmlCtxtReadFile($CTX, $SRC, $ENC, $XML_OPTIONS) + - pattern: xmlCtxtReadIO($CTX, $IO_READ, $IO_CLOSE, $IO_CTX, $SRC, $ENC,$XML_OPTIONS) + - pattern: xmlCtxtReadMemory($CTX, $SRC, $SIZE, $URL, $ENC, $XML_OPTIONS) diff --git a/tests/__snapshots__/libxml2-audit-parser-c-snapshot.yml b/tests/__snapshots__/libxml2-audit-parser-c-snapshot.yml new file mode 100644 index 00000000..60994812 --- /dev/null +++ b/tests/__snapshots__/libxml2-audit-parser-c-snapshot.yml @@ -0,0 +1,12 @@ +id: libxml2-audit-parser-c +snapshots: + ? | + xmlParseInNodeContext(cur_node->parent, xml_filtered.c_str(), + (int)xml_filtered.length(), 0, &pNewNode); + : labels: + - source: |- + xmlParseInNodeContext(cur_node->parent, xml_filtered.c_str(), + (int)xml_filtered.length(), 0, &pNewNode) + style: primary + start: 0 + end: 103 diff --git a/tests/c/libxml2-audit-parser-c-test.yml b/tests/c/libxml2-audit-parser-c-test.yml new file mode 100644 index 00000000..d5fca034 --- /dev/null +++ b/tests/c/libxml2-audit-parser-c-test.yml @@ -0,0 +1,8 @@ +id: libxml2-audit-parser-c +valid: + - | + xmlCtxtReadMemory(); +invalid: + - | + xmlParseInNodeContext(cur_node->parent, xml_filtered.c_str(), + (int)xml_filtered.length(), 0, &pNewNode); From 30f9ae3383573f072cc8c37e7077eab5d011e869 Mon Sep 17 00:00:00 2001 From: ESS-ENN Date: Sat, 7 Sep 2024 19:08:40 +0530 Subject: [PATCH 16/37] libxml2-audit-parser-cpp --- .../cpp/security/libxml2-audit-parser-cpp.yml | 25 +++++++++++++++++++ .../libxml2-audit-parser-cpp-snapshot.yml | 12 +++++++++ tests/cpp/libxml2-audit-parser-cpp-test.yml | 8 ++++++ 3 files changed, 45 insertions(+) create mode 100644 rules/cpp/security/libxml2-audit-parser-cpp.yml create mode 100644 tests/__snapshots__/libxml2-audit-parser-cpp-snapshot.yml create mode 100644 tests/cpp/libxml2-audit-parser-cpp-test.yml diff --git a/rules/cpp/security/libxml2-audit-parser-cpp.yml b/rules/cpp/security/libxml2-audit-parser-cpp.yml new file mode 100644 index 00000000..3ef305fc --- /dev/null +++ b/rules/cpp/security/libxml2-audit-parser-cpp.yml @@ -0,0 +1,25 @@ +id: libxml2-audit-parser-cpp +language: Cpp +severity: info +message: >- + The libxml2 library is used to parse XML. When auditing such code, make + sure that either the document being parsed is trusted or that the parsing + options are safe to consume untrusted documents. In such case make sure + DTD or XInclude documents cannot be loaded and there is no network access. +note: >- + [CWE-611] Improper Restriction of XML External Entity Reference. + [REFERENCES] + - https://owasp.org/Top10/A05_2021-Security_Misconfiguration +rule: + any: + - pattern: xmlParseInNodeContext($CUR, $SRC, $DATALEN, $XML_OPTIONS, $LST) + - pattern: xmlReadDoc($CUR, $SRC, $ENC, $XML_OPTIONS) + - pattern: xmlReadFd($FD, $SRC, $ENC, $XML_OPTIONS) + - pattern: xmlReadFile($SRC, $ENC, $XML_OPTIONS) + - pattern: xmlReadIO($IO_READ, $IO_CLOSE, $IO_CTX, $SRC, $ENC, $XML_OPTIONS) + - pattern: xmlReadMemory($SRC, $SIZE, $URL, $ENC, $XML_OPTIONS) + - pattern: xmlCtxtReadDoc($CTX, $CUR, $SRC, $ENC, $XML_OPTIONS) + - pattern: xmlCtxtReadFd($CTX, $FD, $SRC, $ENC, $XML_OPTIONS) + - pattern: xmlCtxtReadFile($CTX, $SRC, $ENC, $XML_OPTIONS) + - pattern: xmlCtxtReadIO($CTX, $IO_READ, $IO_CLOSE, $IO_CTX, $SRC, $ENC,$XML_OPTIONS) + - pattern: xmlCtxtReadMemory($CTX, $SRC, $SIZE, $URL, $ENC, $XML_OPTIONS) diff --git a/tests/__snapshots__/libxml2-audit-parser-cpp-snapshot.yml b/tests/__snapshots__/libxml2-audit-parser-cpp-snapshot.yml new file mode 100644 index 00000000..6d424b83 --- /dev/null +++ b/tests/__snapshots__/libxml2-audit-parser-cpp-snapshot.yml @@ -0,0 +1,12 @@ +id: libxml2-audit-parser-cpp +snapshots: + ? | + xmlParseInNodeContext(cur_node->parent, xml_filtered.c_str(), + (int)xml_filtered.length(), 0, &pNewNode); + : labels: + - source: |- + xmlParseInNodeContext(cur_node->parent, xml_filtered.c_str(), + (int)xml_filtered.length(), 0, &pNewNode) + style: primary + start: 0 + end: 103 diff --git a/tests/cpp/libxml2-audit-parser-cpp-test.yml b/tests/cpp/libxml2-audit-parser-cpp-test.yml new file mode 100644 index 00000000..f09ad2bd --- /dev/null +++ b/tests/cpp/libxml2-audit-parser-cpp-test.yml @@ -0,0 +1,8 @@ +id: libxml2-audit-parser-cpp +valid: + - | + xmlCtxtReadMemory(); +invalid: + - | + xmlParseInNodeContext(cur_node->parent, xml_filtered.c_str(), + (int)xml_filtered.length(), 0, &pNewNode); From 0970f4fb00ad6e64bc02a3f64c145535d8896a1e Mon Sep 17 00:00:00 2001 From: ESS-ENN Date: Mon, 9 Sep 2024 18:38:57 +0530 Subject: [PATCH 17/37] oracleconnectionstringbuilder-hardcoded-secret-csharp --- ...nstringbuilder-hardcoded-secret-csharp.yml | 17 +++++++++++ ...ilder-hardcoded-secret-csharp-snapshot.yml | 30 +++++++++++++++++++ ...ngbuilder-hardcoded-secret-csharp-test.yml | 19 ++++++++++++ 3 files changed, 66 insertions(+) create mode 100644 rules/csharp/security/oracleconnectionstringbuilder-hardcoded-secret-csharp.yml create mode 100644 tests/__snapshots__/oracleconnectionstringbuilder-hardcoded-secret-csharp-snapshot.yml create mode 100644 tests/csharp/oracleconnectionstringbuilder-hardcoded-secret-csharp-test.yml diff --git a/rules/csharp/security/oracleconnectionstringbuilder-hardcoded-secret-csharp.yml b/rules/csharp/security/oracleconnectionstringbuilder-hardcoded-secret-csharp.yml new file mode 100644 index 00000000..0788968e --- /dev/null +++ b/rules/csharp/security/oracleconnectionstringbuilder-hardcoded-secret-csharp.yml @@ -0,0 +1,17 @@ +id: oracleconnectionstringbuilder-hardcoded-secret-csharp +language: csharp +severity: info +message: >- + "A secret is hard-coded in the application. Secrets stored in source + code, such as credentials, identifiers, and other types of sensitive data, + can be leaked and used by internal or external malicious actors. Use + environment variables to securely provide credentials and other secrets or + retrieve them from a secure vault or Hardware Security Module (HSM)." +note: >- + [CWE-798] Use of Hard-coded Credentials + [REFERENCES] + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html +rule: + any: + - pattern: $B.Password = "$$$" + - pattern: $B["Password"] = "$$$" diff --git a/tests/__snapshots__/oracleconnectionstringbuilder-hardcoded-secret-csharp-snapshot.yml b/tests/__snapshots__/oracleconnectionstringbuilder-hardcoded-secret-csharp-snapshot.yml new file mode 100644 index 00000000..f79eaadd --- /dev/null +++ b/tests/__snapshots__/oracleconnectionstringbuilder-hardcoded-secret-csharp-snapshot.yml @@ -0,0 +1,30 @@ +id: oracleconnectionstringbuilder-hardcoded-secret-csharp +snapshots: + ? | + builder.Password = "reee!"; + : labels: + - source: builder.Password = "reee!" + style: primary + start: 0 + end: 26 + ? | + builder["Password"] = "reee!"; + : labels: + - source: builder["Password"] = "reee!" + style: primary + start: 0 + end: 29 + ? | + cb.Password = "reee!"; + : labels: + - source: cb.Password = "reee!" + style: primary + start: 0 + end: 21 + ? | + cb["Password"] = "reee!"; + : labels: + - source: cb["Password"] = "reee!" + style: primary + start: 0 + end: 24 diff --git a/tests/csharp/oracleconnectionstringbuilder-hardcoded-secret-csharp-test.yml b/tests/csharp/oracleconnectionstringbuilder-hardcoded-secret-csharp-test.yml new file mode 100644 index 00000000..4ffdc4c8 --- /dev/null +++ b/tests/csharp/oracleconnectionstringbuilder-hardcoded-secret-csharp-test.yml @@ -0,0 +1,19 @@ +id: oracleconnectionstringbuilder-hardcoded-secret-csharp +valid: + - | + builder.Password = args[1]; + - | + builder["Password"] = args[1]; + - | + cb["Password"] = args[1]; + - | + cb.Password = args[1]; +invalid: + - | + builder.Password = "reee!"; + - | + builder["Password"] = "reee!"; + - | + cb["Password"] = "reee!"; + - | + cb.Password = "reee!"; From 081bad05d42b4af1ddfb91b1d3da9ed074ad206a Mon Sep 17 00:00:00 2001 From: ESS-ENN Date: Mon, 9 Sep 2024 18:40:08 +0530 Subject: [PATCH 18/37] ecb-cipher-java --- rules/java/security/ecb-cipher-java.yml | 17 +++++++++++++++++ .../__snapshots__/ecb-cipher-java-snapshot.yml | 9 +++++++++ tests/java/ecb-cipher-java-test.yml | 7 +++++++ 3 files changed, 33 insertions(+) create mode 100644 rules/java/security/ecb-cipher-java.yml create mode 100644 tests/__snapshots__/ecb-cipher-java-snapshot.yml create mode 100644 tests/java/ecb-cipher-java-test.yml diff --git a/rules/java/security/ecb-cipher-java.yml b/rules/java/security/ecb-cipher-java.yml new file mode 100644 index 00000000..1ab3a112 --- /dev/null +++ b/rules/java/security/ecb-cipher-java.yml @@ -0,0 +1,17 @@ +id: ecb-cipher-java +severity: warning +language: java +message: >- + Cipher in ECB mode is detected. ECB mode produces the same output for + the same input each time which allows an attacker to intercept and replay + the data. Further, ECB mode does not provide any integrity checking. See + https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY. +note: >- + [CWE-327] Use of a Broken or Risky Cryptographic Algorithm. + [REFERENCES] + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures +rule: + pattern: Cipher $VAR = $CIPHER.getInstance($MODE); +constraints: + MODE: + regex: .*ECB.* diff --git a/tests/__snapshots__/ecb-cipher-java-snapshot.yml b/tests/__snapshots__/ecb-cipher-java-snapshot.yml new file mode 100644 index 00000000..a9c76fd2 --- /dev/null +++ b/tests/__snapshots__/ecb-cipher-java-snapshot.yml @@ -0,0 +1,9 @@ +id: ecb-cipher-java +snapshots: + ? | + Cipher c = Cipher.getInstance("AES/ECB/NoPadding"); + : labels: + - source: Cipher c = Cipher.getInstance("AES/ECB/NoPadding"); + style: primary + start: 0 + end: 51 diff --git a/tests/java/ecb-cipher-java-test.yml b/tests/java/ecb-cipher-java-test.yml new file mode 100644 index 00000000..b9089221 --- /dev/null +++ b/tests/java/ecb-cipher-java-test.yml @@ -0,0 +1,7 @@ +id: ecb-cipher-java +valid: + - | + Cipher c = Cipher.getInstance("AES/GCM/NoPadding"); +invalid: + - | + Cipher c = Cipher.getInstance("AES/ECB/NoPadding"); From bec0b7ef38b6d6e08088ad6cd1f0319ad1fdba9a Mon Sep 17 00:00:00 2001 From: ESS-ENN Date: Tue, 10 Sep 2024 18:42:23 +0530 Subject: [PATCH 19/37] Changed severity for 3 rules as suggested by Bot --- rules/c/security/libxml2-audit-parser-c.yml | 2 +- rules/cpp/security/libxml2-audit-parser-cpp.yml | 2 +- rules/csharp/security/httponly-false-csharp.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/c/security/libxml2-audit-parser-c.yml b/rules/c/security/libxml2-audit-parser-c.yml index f6bca182..81d9c7f2 100644 --- a/rules/c/security/libxml2-audit-parser-c.yml +++ b/rules/c/security/libxml2-audit-parser-c.yml @@ -1,6 +1,6 @@ id: libxml2-audit-parser-c language: c -severity: info +severity: warning message: >- The libxml2 library is used to parse XML. When auditing such code, make sure that either the document being parsed is trusted or that the parsing diff --git a/rules/cpp/security/libxml2-audit-parser-cpp.yml b/rules/cpp/security/libxml2-audit-parser-cpp.yml index 3ef305fc..84ee43f9 100644 --- a/rules/cpp/security/libxml2-audit-parser-cpp.yml +++ b/rules/cpp/security/libxml2-audit-parser-cpp.yml @@ -1,6 +1,6 @@ id: libxml2-audit-parser-cpp language: Cpp -severity: info +severity: warning message: >- The libxml2 library is used to parse XML. When auditing such code, make sure that either the document being parsed is trusted or that the parsing diff --git a/rules/csharp/security/httponly-false-csharp.yml b/rules/csharp/security/httponly-false-csharp.yml index 3b0cb416..f874ec84 100644 --- a/rules/csharp/security/httponly-false-csharp.yml +++ b/rules/csharp/security/httponly-false-csharp.yml @@ -1,6 +1,6 @@ id: httponly-false-csharp language: csharp -severity: info +severity: warning message: >- "Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid From 472fa36a7632c5aa69745baf3c244680170940ae Mon Sep 17 00:00:00 2001 From: ESS-ENN Date: Tue, 10 Sep 2024 18:45:59 +0530 Subject: [PATCH 20/37] use-of-weak-rsa-key-java --- .../security/use-of-weak-rsa-key-java.yml | 16 +++++++++ .../use-of-weak-rsa-key-java-snapshot.yml | 34 +++++++++++++++++++ tests/java/use-of-weak-rsa-key-java-test.yml | 18 ++++++++++ 3 files changed, 68 insertions(+) create mode 100644 rules/java/security/use-of-weak-rsa-key-java.yml create mode 100644 tests/__snapshots__/use-of-weak-rsa-key-java-snapshot.yml create mode 100644 tests/java/use-of-weak-rsa-key-java-test.yml diff --git a/rules/java/security/use-of-weak-rsa-key-java.yml b/rules/java/security/use-of-weak-rsa-key-java.yml new file mode 100644 index 00000000..8f7c96aa --- /dev/null +++ b/rules/java/security/use-of-weak-rsa-key-java.yml @@ -0,0 +1,16 @@ +id: use-of-weak-rsa-key-java +language: java +severity: warning +message: >- + RSA keys should be at least 2048 bits based on NIST recommendation. +note: >- + [CWE-326] Inadequate Encryption Strength. + [REFERENCES] + - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms +rule: + pattern: | + $KEY.initialize($AST) +follows: KeyPairGenerator $KEY = $G.getInstance("RSA"); +constraints: + AST: + regex: '^(-?(0|[1-9][0-9]?|[1-9][0-9]{2}|1[0-9]{3}|20[0-3][0-9]|204[0-7])(\.[0-9]+)?|0|-[1-9][0-9]*|-[1-9][0-9]{2,}|-1[0-9]{3}|-20[0-3][0-9]|-204[0-7])$' diff --git a/tests/__snapshots__/use-of-weak-rsa-key-java-snapshot.yml b/tests/__snapshots__/use-of-weak-rsa-key-java-snapshot.yml new file mode 100644 index 00000000..bb83308a --- /dev/null +++ b/tests/__snapshots__/use-of-weak-rsa-key-java-snapshot.yml @@ -0,0 +1,34 @@ +id: use-of-weak-rsa-key-java +snapshots: + ? | + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); + keyGen.initialize(-512); + : labels: + - source: keyGen.initialize(-512) + style: primary + start: 63 + end: 86 + ? | + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); + keyGen.initialize(512); + : labels: + - source: keyGen.initialize(512) + style: primary + start: 63 + end: 85 + ? | + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); + keyGen.initialize(512.0); + : labels: + - source: keyGen.initialize(512.0) + style: primary + start: 63 + end: 87 + ? | + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); + keyGen.initialize(512.09); + : labels: + - source: keyGen.initialize(512.09) + style: primary + start: 63 + end: 88 diff --git a/tests/java/use-of-weak-rsa-key-java-test.yml b/tests/java/use-of-weak-rsa-key-java-test.yml new file mode 100644 index 00000000..c1aee8fa --- /dev/null +++ b/tests/java/use-of-weak-rsa-key-java-test.yml @@ -0,0 +1,18 @@ +id: use-of-weak-rsa-key-java +valid: + - | + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); + keyGen.initialize(2048); +invalid: + - | + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); + keyGen.initialize(512); + - | + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); + keyGen.initialize(-512); + - | + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); + keyGen.initialize(512.09); + - | + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); + keyGen.initialize(512.0); From 5fea8a2609ae5f71a347b5bda830475bcfb81a44 Mon Sep 17 00:00:00 2001 From: ESS-ENN Date: Tue, 10 Sep 2024 18:48:11 +0530 Subject: [PATCH 21/37] unencrypted-socket-java --- .../java/security/unencrypted-socket-java.yml | 16 +++++ .../unencrypted-socket-java-snapshot.yml | 58 +++++++++++++++++++ tests/java/unencrypted-socket-java-test.yml | 23 ++++++++ 3 files changed, 97 insertions(+) create mode 100644 rules/java/security/unencrypted-socket-java.yml create mode 100644 tests/__snapshots__/unencrypted-socket-java-snapshot.yml create mode 100644 tests/java/unencrypted-socket-java-test.yml diff --git a/rules/java/security/unencrypted-socket-java.yml b/rules/java/security/unencrypted-socket-java.yml new file mode 100644 index 00000000..2b8540a5 --- /dev/null +++ b/rules/java/security/unencrypted-socket-java.yml @@ -0,0 +1,16 @@ +id: unencrypted-socket-java +language: java +severity: info +message: >- + "Detected use of a Java socket that is not encrypted. As a result, the + traffic could be read by an attacker intercepting the network traffic. Use + an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory' + instead." +note: >- + [CWE-319] Cleartext Transmission of Sensitive Information + [REFERENCES] + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures +rule: + any: + - pattern: new ServerSocket($$$) + - pattern: new Socket($$$) diff --git a/tests/__snapshots__/unencrypted-socket-java-snapshot.yml b/tests/__snapshots__/unencrypted-socket-java-snapshot.yml new file mode 100644 index 00000000..e0becd2b --- /dev/null +++ b/tests/__snapshots__/unencrypted-socket-java-snapshot.yml @@ -0,0 +1,58 @@ +id: unencrypted-socket-java +snapshots: + ? | + ServerSocket ssoc = new ServerSocket(1234); + : labels: + - source: new ServerSocket(1234) + style: primary + start: 20 + end: 42 + ? | + ServerSocket ssoc1 = new ServerSocket(); + : labels: + - source: new ServerSocket() + style: primary + start: 21 + end: 39 + ? | + ServerSocket ssoc2 = new ServerSocket(1234, 10); + : labels: + - source: new ServerSocket(1234, 10) + style: primary + start: 21 + end: 47 + ? | + ServerSocket ssoc3 = new ServerSocket(1234, 10, InetAddress.getByAddress(address)); + : labels: + - source: new ServerSocket(1234, 10, InetAddress.getByAddress(address)) + style: primary + start: 21 + end: 82 + ? | + Socket soc = new Socket("www.google.com", 80); + : labels: + - source: new Socket("www.google.com", 80) + style: primary + start: 13 + end: 45 + ? | + Socket soc1 = new Socket("www.google.com", 80, true); + : labels: + - source: new Socket("www.google.com", 80, true) + style: primary + start: 14 + end: 52 + ? | + Socket soc2 = new Socket("www.google.com", 80, InetAddress.getByAddress(address), 13337); + : labels: + - source: new Socket("www.google.com", 80, InetAddress.getByAddress(address), 13337) + style: primary + start: 14 + end: 88 + ? | + Socket soc3 = new Socket(InetAddress.getByAddress(remoteAddress), 80); + : labels: + - source: new Socket(InetAddress.getByAddress(remoteAddress), 80) + style: primary + start: 14 + end: 69 diff --git a/tests/java/unencrypted-socket-java-test.yml b/tests/java/unencrypted-socket-java-test.yml new file mode 100644 index 00000000..d023debf --- /dev/null +++ b/tests/java/unencrypted-socket-java-test.yml @@ -0,0 +1,23 @@ +id: unencrypted-socket-java +valid: + - | + Socket soc = SSLSocketFactory.getDefault().createSocket("www.google.com", 443); + - | + ServerSocket ssoc = SSLServerSocketFactory.getDefault().createServerSocket(1234); +invalid: + - | + Socket soc = new Socket("www.google.com", 80); + - | + Socket soc1 = new Socket("www.google.com", 80, true); + - | + Socket soc2 = new Socket("www.google.com", 80, InetAddress.getByAddress(address), 13337); + - | + Socket soc3 = new Socket(InetAddress.getByAddress(remoteAddress), 80); + - | + ServerSocket ssoc = new ServerSocket(1234); + - | + ServerSocket ssoc1 = new ServerSocket(); + - | + ServerSocket ssoc2 = new ServerSocket(1234, 10); + - | + ServerSocket ssoc3 = new ServerSocket(1234, 10, InetAddress.getByAddress(address)); From a85cbfbf7c8f52a75b1d075c07c816e1b22280b1 Mon Sep 17 00:00:00 2001 From: ESS-ENN Date: Tue, 10 Sep 2024 18:49:34 +0530 Subject: [PATCH 22/37] use-of-weak-rsa-key-kotlin --- .../security/use-of-weak-rsa-key-kotlin.yml | 18 ++++++++++++++++++ .../use-of-weak-rsa-key-kotlin-snapshot.yml | 10 ++++++++++ .../kotlin/use-of-weak-rsa-key-kotlin-test.yml | 9 +++++++++ 3 files changed, 37 insertions(+) create mode 100644 rules/kotlin/security/use-of-weak-rsa-key-kotlin.yml create mode 100644 tests/__snapshots__/use-of-weak-rsa-key-kotlin-snapshot.yml create mode 100644 tests/kotlin/use-of-weak-rsa-key-kotlin-test.yml diff --git a/rules/kotlin/security/use-of-weak-rsa-key-kotlin.yml b/rules/kotlin/security/use-of-weak-rsa-key-kotlin.yml new file mode 100644 index 00000000..1620ce16 --- /dev/null +++ b/rules/kotlin/security/use-of-weak-rsa-key-kotlin.yml @@ -0,0 +1,18 @@ +id: use-of-weak-rsa-key-kotlin +language: kotlin +severity: warning +message: >- + RSA keys should be at least 2048 bits based on NIST recommendation +note: >- + [CWE-326]: Inadequate Encryption Strength + [OWASP A03:2017]: Sensitive Data Exposure + [OWASP A02:2021]: Cryptographic Failures + [REFERENCES] + - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms +rule: + pattern: | + $KEY.initialize($BITS) +follows: KEY = $G.getInstance("RSA"); +constraints: + BITS: + regex: '^(-?(0|[1-9][0-9]?|[1-9][0-9]{2}|1[0-9]{3}|20[0-3][0-9]|204[0-7])(\.[0-9]+)?|0|-[1-9][0-9]*|-[1-9][0-9]{2,}|-1[0-9]{3}|-20[0-3][0-9]|-204[0-7])$' diff --git a/tests/__snapshots__/use-of-weak-rsa-key-kotlin-snapshot.yml b/tests/__snapshots__/use-of-weak-rsa-key-kotlin-snapshot.yml new file mode 100644 index 00000000..5c7fe552 --- /dev/null +++ b/tests/__snapshots__/use-of-weak-rsa-key-kotlin-snapshot.yml @@ -0,0 +1,10 @@ +id: use-of-weak-rsa-key-kotlin +snapshots: + ? | + KeyPairGenerator.getInstance("RSA") + keyGen.initialize(-5.12); + : labels: + - source: keyGen.initialize(-5.12) + style: primary + start: 36 + end: 60 diff --git a/tests/kotlin/use-of-weak-rsa-key-kotlin-test.yml b/tests/kotlin/use-of-weak-rsa-key-kotlin-test.yml new file mode 100644 index 00000000..199c4b1e --- /dev/null +++ b/tests/kotlin/use-of-weak-rsa-key-kotlin-test.yml @@ -0,0 +1,9 @@ +id: use-of-weak-rsa-key-kotlin +valid: + - | + KeyPairGenerator.getInstance("RSA") + keyGen.initialize(2048); +invalid: + - | + KeyPairGenerator.getInstance("RSA") + keyGen.initialize(-5.12); From 22b3dcaa73f13ec29d1fce69a76b29e8cbafe5d2 Mon Sep 17 00:00:00 2001 From: ESS-ENN Date: Thu, 12 Sep 2024 16:50:11 +0530 Subject: [PATCH 23/37] removing oracleconnectionstringbuilder-hardcoded-secret-csharp --- ...nstringbuilder-hardcoded-secret-csharp.yml | 17 ----------- ...ilder-hardcoded-secret-csharp-snapshot.yml | 30 ------------------- ...ngbuilder-hardcoded-secret-csharp-test.yml | 19 ------------ 3 files changed, 66 deletions(-) delete mode 100644 rules/csharp/security/oracleconnectionstringbuilder-hardcoded-secret-csharp.yml delete mode 100644 tests/__snapshots__/oracleconnectionstringbuilder-hardcoded-secret-csharp-snapshot.yml delete mode 100644 tests/csharp/oracleconnectionstringbuilder-hardcoded-secret-csharp-test.yml diff --git a/rules/csharp/security/oracleconnectionstringbuilder-hardcoded-secret-csharp.yml b/rules/csharp/security/oracleconnectionstringbuilder-hardcoded-secret-csharp.yml deleted file mode 100644 index 0788968e..00000000 --- a/rules/csharp/security/oracleconnectionstringbuilder-hardcoded-secret-csharp.yml +++ /dev/null @@ -1,17 +0,0 @@ -id: oracleconnectionstringbuilder-hardcoded-secret-csharp -language: csharp -severity: info -message: >- - "A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. Use - environment variables to securely provide credentials and other secrets or - retrieve them from a secure vault or Hardware Security Module (HSM)." -note: >- - [CWE-798] Use of Hard-coded Credentials - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html -rule: - any: - - pattern: $B.Password = "$$$" - - pattern: $B["Password"] = "$$$" diff --git a/tests/__snapshots__/oracleconnectionstringbuilder-hardcoded-secret-csharp-snapshot.yml b/tests/__snapshots__/oracleconnectionstringbuilder-hardcoded-secret-csharp-snapshot.yml deleted file mode 100644 index f79eaadd..00000000 --- a/tests/__snapshots__/oracleconnectionstringbuilder-hardcoded-secret-csharp-snapshot.yml +++ /dev/null @@ -1,30 +0,0 @@ -id: oracleconnectionstringbuilder-hardcoded-secret-csharp -snapshots: - ? | - builder.Password = "reee!"; - : labels: - - source: builder.Password = "reee!" - style: primary - start: 0 - end: 26 - ? | - builder["Password"] = "reee!"; - : labels: - - source: builder["Password"] = "reee!" - style: primary - start: 0 - end: 29 - ? | - cb.Password = "reee!"; - : labels: - - source: cb.Password = "reee!" - style: primary - start: 0 - end: 21 - ? | - cb["Password"] = "reee!"; - : labels: - - source: cb["Password"] = "reee!" - style: primary - start: 0 - end: 24 diff --git a/tests/csharp/oracleconnectionstringbuilder-hardcoded-secret-csharp-test.yml b/tests/csharp/oracleconnectionstringbuilder-hardcoded-secret-csharp-test.yml deleted file mode 100644 index 4ffdc4c8..00000000 --- a/tests/csharp/oracleconnectionstringbuilder-hardcoded-secret-csharp-test.yml +++ /dev/null @@ -1,19 +0,0 @@ -id: oracleconnectionstringbuilder-hardcoded-secret-csharp -valid: - - | - builder.Password = args[1]; - - | - builder["Password"] = args[1]; - - | - cb["Password"] = args[1]; - - | - cb.Password = args[1]; -invalid: - - | - builder.Password = "reee!"; - - | - builder["Password"] = "reee!"; - - | - cb["Password"] = "reee!"; - - | - cb.Password = "reee!"; From 090e6af6673da04360f6a82dbae39d46d7be7242 Mon Sep 17 00:00:00 2001 From: ESS-ENN Date: Thu, 12 Sep 2024 16:58:17 +0530 Subject: [PATCH 24/37] use-of-md5-digest-utils-java --- .../java/security/use-of-md5-digest-utils-java.yml | 13 +++++++++++++ .../use-of-md5-digest-utils-java-snapshot.yml | 9 +++++++++ tests/java/use-of-md5-digest-utils-java-test.yml | 9 +++++++++ 3 files changed, 31 insertions(+) create mode 100644 rules/java/security/use-of-md5-digest-utils-java.yml create mode 100644 tests/__snapshots__/use-of-md5-digest-utils-java-snapshot.yml create mode 100644 tests/java/use-of-md5-digest-utils-java-test.yml diff --git a/rules/java/security/use-of-md5-digest-utils-java.yml b/rules/java/security/use-of-md5-digest-utils-java.yml new file mode 100644 index 00000000..77778a46 --- /dev/null +++ b/rules/java/security/use-of-md5-digest-utils-java.yml @@ -0,0 +1,13 @@ +id: use-of-md5-digest-utils-java +language: java +severity: warning +message: >- + 'Detected MD5 hash algorithm which is considered insecure. MD5 is not + collision resistant and is therefore not suitable as a cryptographic + signature. Use HMAC instead.' +note: >- + [CWE-328] Use of Weak Hash + [REFERENCES] + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures +rule: + pattern: DigestUtils.getMd5Digest($$$).digest($$$) diff --git a/tests/__snapshots__/use-of-md5-digest-utils-java-snapshot.yml b/tests/__snapshots__/use-of-md5-digest-utils-java-snapshot.yml new file mode 100644 index 00000000..fe41e08d --- /dev/null +++ b/tests/__snapshots__/use-of-md5-digest-utils-java-snapshot.yml @@ -0,0 +1,9 @@ +id: use-of-md5-digest-utils-java +snapshots: + ? | + byte[] hashValue = DigestUtils.getMd5Digest().digest(password.getBytes()); + : labels: + - source: DigestUtils.getMd5Digest().digest(password.getBytes()) + style: primary + start: 19 + end: 73 diff --git a/tests/java/use-of-md5-digest-utils-java-test.yml b/tests/java/use-of-md5-digest-utils-java-test.yml new file mode 100644 index 00000000..f6bc228d --- /dev/null +++ b/tests/java/use-of-md5-digest-utils-java-test.yml @@ -0,0 +1,9 @@ +id: use-of-md5-digest-utils-java +valid: + - | + MessageDigest md5Digest = MessageDigest.getInstance("MD5"); + - | + byte[] hashValue = DigestUtils.getSha512Digest().digest(password.getBytes()); +invalid: + - | + byte[] hashValue = DigestUtils.getMd5Digest().digest(password.getBytes()); From fc5f3a13239a901542491540ba30c1223bb676e7 Mon Sep 17 00:00:00 2001 From: ESS-ENN Date: Thu, 12 Sep 2024 16:59:23 +0530 Subject: [PATCH 25/37] weak-ssl-context-java --- rules/java/security/weak-ssl-context-java.yml | 22 +++++++++++ .../weak-ssl-context-java-snapshot.yml | 37 +++++++++++++++++++ tests/java/weak-ssl-context-java-test.yml | 19 ++++++++++ 3 files changed, 78 insertions(+) create mode 100644 rules/java/security/weak-ssl-context-java.yml create mode 100644 tests/__snapshots__/weak-ssl-context-java-snapshot.yml create mode 100644 tests/java/weak-ssl-context-java-test.yml diff --git a/rules/java/security/weak-ssl-context-java.yml b/rules/java/security/weak-ssl-context-java.yml new file mode 100644 index 00000000..411ca262 --- /dev/null +++ b/rules/java/security/weak-ssl-context-java.yml @@ -0,0 +1,22 @@ +id: weak-ssl-context-java +language: java +severity: warning +message: >- + 'An insecure SSL context was detected. TLS versions 1.0, 1.1, and all + SSL versions are considered weak encryption and are deprecated. Use + SSLContext.getInstance("TLSv1.2") for the best security.' +note: >- + [CWE-326] Inadequate Encryption Strength + [REFERENCES] + - https://tools.ietf.org/html/rfc7568 + - https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html +rule: + all: + - pattern: SSLContext.getInstance($CONTEXT) + - not: + pattern: SSLContext.getInstance("TLSv1.3") + - not: + pattern: SSLContext.getInstance("TLSv1.2") +constraints: + CONTEXT: + regex: (TLS|SSL) diff --git a/tests/__snapshots__/weak-ssl-context-java-snapshot.yml b/tests/__snapshots__/weak-ssl-context-java-snapshot.yml new file mode 100644 index 00000000..ca21f566 --- /dev/null +++ b/tests/__snapshots__/weak-ssl-context-java-snapshot.yml @@ -0,0 +1,37 @@ +id: weak-ssl-context-java +snapshots: + ? | + SSLContext ctx = SSLContext.getInstance("SSL"); + : labels: + - source: SSLContext.getInstance("SSL") + style: primary + start: 17 + end: 46 + ? | + SSLContext ctx = SSLContext.getInstance("SSLv3"); + : labels: + - source: SSLContext.getInstance("SSLv3") + style: primary + start: 17 + end: 48 + ? | + SSLContext ctx = SSLContext.getInstance("TLS"); + : labels: + - source: SSLContext.getInstance("TLS") + style: primary + start: 17 + end: 46 + ? | + SSLContext ctx = SSLContext.getInstance("TLSv1"); + : labels: + - source: SSLContext.getInstance("TLSv1") + style: primary + start: 17 + end: 48 + ? | + SSLContext ctx = SSLContext.getInstance("TLSv1.1"); + : labels: + - source: SSLContext.getInstance("TLSv1.1") + style: primary + start: 17 + end: 50 diff --git a/tests/java/weak-ssl-context-java-test.yml b/tests/java/weak-ssl-context-java-test.yml new file mode 100644 index 00000000..66505656 --- /dev/null +++ b/tests/java/weak-ssl-context-java-test.yml @@ -0,0 +1,19 @@ +id: weak-ssl-context-java +valid: + - | + SSLContext ctx = SSLContext.getInstance("TLSv1.2"); + - | + SSLContext ctx = SSLContext.getInstance("TLSv1.3"); + - | + SSLContext ctx = SSLContext.getInstance(getSslContext()); +invalid: + - | + SSLContext ctx = SSLContext.getInstance("SSL"); + - | + SSLContext ctx = SSLContext.getInstance("TLS"); + - | + SSLContext ctx = SSLContext.getInstance("TLSv1"); + - | + SSLContext ctx = SSLContext.getInstance("SSLv3"); + - | + SSLContext ctx = SSLContext.getInstance("TLSv1.1"); From bf350e6fc224725fec51a8910b4670cc2e36a97a Mon Sep 17 00:00:00 2001 From: ESS-ENN Date: Thu, 12 Sep 2024 17:00:24 +0530 Subject: [PATCH 26/37] use-of-rc4-java --- rules/java/security/use-of-rc4-java.yml | 16 ++++++++++++++++ tests/__snapshots__/use-of-rc4-java-snapshot.yml | 16 ++++++++++++++++ tests/java/use-of-rc4-java-test.yml | 9 +++++++++ 3 files changed, 41 insertions(+) create mode 100644 rules/java/security/use-of-rc4-java.yml create mode 100644 tests/__snapshots__/use-of-rc4-java-snapshot.yml create mode 100644 tests/java/use-of-rc4-java-test.yml diff --git a/rules/java/security/use-of-rc4-java.yml b/rules/java/security/use-of-rc4-java.yml new file mode 100644 index 00000000..2356d208 --- /dev/null +++ b/rules/java/security/use-of-rc4-java.yml @@ -0,0 +1,16 @@ +id: use-of-rc4-java +language: java +severity: warning +message: >- + 'Use of RC4 was detected. RC4 is vulnerable to several attacks, + including stream cipher attacks and bit flipping attacks. Instead, use a + strong, secure cipher: Cipher.getInstance("AES/CBC/PKCS7PADDING"). See + https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions + for more information.' +note: >- + [CWE-327] Use of a Broken or Risky Cryptographic Algorithm + [REFERENCES] + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + - https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html +rule: + pattern: $CIPHER.getInstance("RC4") diff --git a/tests/__snapshots__/use-of-rc4-java-snapshot.yml b/tests/__snapshots__/use-of-rc4-java-snapshot.yml new file mode 100644 index 00000000..cbf4423c --- /dev/null +++ b/tests/__snapshots__/use-of-rc4-java-snapshot.yml @@ -0,0 +1,16 @@ +id: use-of-rc4-java +snapshots: + ? | + Cipher.getInstance("RC4"); + : labels: + - source: Cipher.getInstance("RC4") + style: primary + start: 0 + end: 25 + ? | + useCipher(Cipher.getInstance("RC4")); + : labels: + - source: Cipher.getInstance("RC4") + style: primary + start: 10 + end: 35 diff --git a/tests/java/use-of-rc4-java-test.yml b/tests/java/use-of-rc4-java-test.yml new file mode 100644 index 00000000..a82db3b3 --- /dev/null +++ b/tests/java/use-of-rc4-java-test.yml @@ -0,0 +1,9 @@ +id: use-of-rc4-java +valid: + - | + Cipher.getInstance("AES/CBC/PKCS7PADDING"); +invalid: + - | + Cipher.getInstance("RC4"); + - | + useCipher(Cipher.getInstance("RC4")); From 85c6f95d33f9148570997b7ff08df81439e5b88b Mon Sep 17 00:00:00 2001 From: ESS-ENN Date: Thu, 12 Sep 2024 17:02:41 +0530 Subject: [PATCH 27/37] system-setproperty-hardcoded-secret-java --- ...stem-setproperty-hardcoded-secret-java.yml | 22 +++++++++++++++++++ ...roperty-hardcoded-secret-java-snapshot.yml | 10 +++++++++ ...setproperty-hardcoded-secret-java-test.yml | 9 ++++++++ 3 files changed, 41 insertions(+) create mode 100644 rules/java/security/system-setproperty-hardcoded-secret-java.yml create mode 100644 tests/__snapshots__/system-setproperty-hardcoded-secret-java-snapshot.yml create mode 100644 tests/java/system-setproperty-hardcoded-secret-java-test.yml diff --git a/rules/java/security/system-setproperty-hardcoded-secret-java.yml b/rules/java/security/system-setproperty-hardcoded-secret-java.yml new file mode 100644 index 00000000..537a16a3 --- /dev/null +++ b/rules/java/security/system-setproperty-hardcoded-secret-java.yml @@ -0,0 +1,22 @@ +id: system-setproperty-hardcoded-secret-java +language: java +severity: warning +message: >- + A secret is hard-coded in the application. Secrets stored in source + code, such as credentials, identifiers, and other types of sensitive data, + can be leaked and used by internal or external malicious actors. Use + environment variables to securely provide credentials and other secrets or + retrieve them from a secure vault or Hardware Security Module (HSM). +note: >- + [CWE-798]: Use of Hard-coded Credentials + [OWASP A07:2021]: Identification and Authentication Failures + [REFERENCES] + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html +rule: + all: + - any: + - pattern: System.setProperty("javax.net.ssl.keyStorePassword", $PWD); + - pattern: System.setProperty("javax.net.ssl.trustStorePassword", $PWD); +constraints: + PWD: + regex: '^"' diff --git a/tests/__snapshots__/system-setproperty-hardcoded-secret-java-snapshot.yml b/tests/__snapshots__/system-setproperty-hardcoded-secret-java-snapshot.yml new file mode 100644 index 00000000..9130101a --- /dev/null +++ b/tests/__snapshots__/system-setproperty-hardcoded-secret-java-snapshot.yml @@ -0,0 +1,10 @@ +id: system-setproperty-hardcoded-secret-java +snapshots: + ? | + System.setProperty("javax.net.ssl.keyStorePassword", "password"); + System.setProperty("javax.net.ssl.trustStorePassword", "password"); + : labels: + - source: System.setProperty("javax.net.ssl.keyStorePassword", "password"); + style: primary + start: 0 + end: 65 diff --git a/tests/java/system-setproperty-hardcoded-secret-java-test.yml b/tests/java/system-setproperty-hardcoded-secret-java-test.yml new file mode 100644 index 00000000..4bf72c91 --- /dev/null +++ b/tests/java/system-setproperty-hardcoded-secret-java-test.yml @@ -0,0 +1,9 @@ +id: system-setproperty-hardcoded-secret-java +valid: + - | + System.setProperty("javax.net.ssl.trustStorePassword", config); + System.setProperty("javax.net.ssl.keyStorePassword", config); +invalid: + - | + System.setProperty("javax.net.ssl.keyStorePassword", "password"); + System.setProperty("javax.net.ssl.trustStorePassword", "password"); From 07abf420cc037496879e78fbb2047683318feddb Mon Sep 17 00:00:00 2001 From: ESS-ENN Date: Thu, 12 Sep 2024 17:03:56 +0530 Subject: [PATCH 28/37] rsa-no-padding-kotlin --- rules/kotlin/security/rsa-no-padding-kotlin.yml | 14 ++++++++++++++ .../rsa-no-padding-kotlin-snapshot.yml | 10 ++++++++++ tests/kotlin/rsa-no-padding-kotlin.yml | 8 ++++++++ 3 files changed, 32 insertions(+) create mode 100644 rules/kotlin/security/rsa-no-padding-kotlin.yml create mode 100644 tests/__snapshots__/rsa-no-padding-kotlin-snapshot.yml create mode 100644 tests/kotlin/rsa-no-padding-kotlin.yml diff --git a/rules/kotlin/security/rsa-no-padding-kotlin.yml b/rules/kotlin/security/rsa-no-padding-kotlin.yml new file mode 100644 index 00000000..49e07e7b --- /dev/null +++ b/rules/kotlin/security/rsa-no-padding-kotlin.yml @@ -0,0 +1,14 @@ +id: rsa-no-padding-kotlin +severity: warning +language: kotlin +message: >- + Using RSA without OAEP mode weakens the encryption. +note: >- + [CWE-326] Inadequate Encryption Strength + [REFERENCES] + - https://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/ +rule: + pattern: $YST.getInstance($MODE) +constraints: + MODE: + regex: "RSA/[Nn][Oo][Nn][Ee]/NoPadding" diff --git a/tests/__snapshots__/rsa-no-padding-kotlin-snapshot.yml b/tests/__snapshots__/rsa-no-padding-kotlin-snapshot.yml new file mode 100644 index 00000000..4507882d --- /dev/null +++ b/tests/__snapshots__/rsa-no-padding-kotlin-snapshot.yml @@ -0,0 +1,10 @@ +id: rsa-no-padding-kotlin +snapshots: + ? | + Cipher.getInstance("RSA/None/NoPadding"); + Cipher.getInstance("RSA/NONE/NoPadding"); + : labels: + - source: Cipher.getInstance("RSA/None/NoPadding") + style: primary + start: 0 + end: 40 diff --git a/tests/kotlin/rsa-no-padding-kotlin.yml b/tests/kotlin/rsa-no-padding-kotlin.yml new file mode 100644 index 00000000..6dc46d21 --- /dev/null +++ b/tests/kotlin/rsa-no-padding-kotlin.yml @@ -0,0 +1,8 @@ +id: rsa-no-padding-kotlin +valid: + - | + Cipher.getInstance("RSA/ECB/OAEPWithMD5AndMGF1Padding"); +invalid: + - | + Cipher.getInstance("RSA/None/NoPadding"); + Cipher.getInstance("RSA/NONE/NoPadding"); From 126ec007299e0b22fc3e9fbf3f037902a8bd0900 Mon Sep 17 00:00:00 2001 From: ESS-ENN Date: Thu, 12 Sep 2024 17:04:43 +0530 Subject: [PATCH 29/37] des-is-deprecated-java --- rules/java/security/des-is-deprecated-java.yml | 16 ++++++++++++++++ .../des-is-deprecated-java-snapshot.yml | 9 +++++++++ tests/java/des-is-deprecated-java-test.yml | 7 +++++++ 3 files changed, 32 insertions(+) create mode 100644 rules/java/security/des-is-deprecated-java.yml create mode 100644 tests/__snapshots__/des-is-deprecated-java-snapshot.yml create mode 100644 tests/java/des-is-deprecated-java-test.yml diff --git a/rules/java/security/des-is-deprecated-java.yml b/rules/java/security/des-is-deprecated-java.yml new file mode 100644 index 00000000..8ce1895b --- /dev/null +++ b/rules/java/security/des-is-deprecated-java.yml @@ -0,0 +1,16 @@ +id: des-is-deprecated-java +severity: warning +language: java +message: >- + DES is considered deprecated. AES is the recommended cipher. Upgrade to + use AES. See https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard + for more information. +note: >- + [CWE-326] Inadequate Encryption Strength. + [REFERENCES] + - https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard +rule: + pattern: $CIPHER.getInstance($SAS) +constraints: + SAS: + regex: "DES" diff --git a/tests/__snapshots__/des-is-deprecated-java-snapshot.yml b/tests/__snapshots__/des-is-deprecated-java-snapshot.yml new file mode 100644 index 00000000..35070ef2 --- /dev/null +++ b/tests/__snapshots__/des-is-deprecated-java-snapshot.yml @@ -0,0 +1,9 @@ +id: des-is-deprecated-java +snapshots: + ? | + Cipher.getInstance("DES/ECB/PKCS5Padding"); + : labels: + - source: Cipher.getInstance("DES/ECB/PKCS5Padding") + style: primary + start: 0 + end: 42 diff --git a/tests/java/des-is-deprecated-java-test.yml b/tests/java/des-is-deprecated-java-test.yml new file mode 100644 index 00000000..bc26dbd7 --- /dev/null +++ b/tests/java/des-is-deprecated-java-test.yml @@ -0,0 +1,7 @@ +id: des-is-deprecated-java +valid: + - | + Cipher c = Cipher.getInstance("AES/GCM/NoPadding"); +invalid: + - | + Cipher.getInstance("DES/ECB/PKCS5Padding"); From b62d49af046d8d28bbe627630863054c6825eb3d Mon Sep 17 00:00:00 2001 From: ESS-ENN Date: Thu, 12 Sep 2024 17:06:05 +0530 Subject: [PATCH 30/37] des-is-deprecated-kotlin --- .../kotlin/security/des-is-deprecated-kotlin.yml | 16 ++++++++++++++++ .../des-is-deprecated-kotlin-snapshot.yml | 9 +++++++++ tests/kotlin/des-is-deprecated-kotlin-test.yml | 7 +++++++ 3 files changed, 32 insertions(+) create mode 100644 rules/kotlin/security/des-is-deprecated-kotlin.yml create mode 100644 tests/__snapshots__/des-is-deprecated-kotlin-snapshot.yml create mode 100644 tests/kotlin/des-is-deprecated-kotlin-test.yml diff --git a/rules/kotlin/security/des-is-deprecated-kotlin.yml b/rules/kotlin/security/des-is-deprecated-kotlin.yml new file mode 100644 index 00000000..377e3ed5 --- /dev/null +++ b/rules/kotlin/security/des-is-deprecated-kotlin.yml @@ -0,0 +1,16 @@ +id: des-is-deprecated-kotlin +severity: warning +language: kotlin +message: >- + DES is considered deprecated. AES is the recommended cipher. Upgrade to + use AES. See https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard + for more information. +note: >- + [CWE-326] Inadequate Encryption Strength. + [REFERENCES] + - https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard +rule: + pattern: $CIPHER.getInstance($SAS) +constraints: + SAS: + regex: "DES" diff --git a/tests/__snapshots__/des-is-deprecated-kotlin-snapshot.yml b/tests/__snapshots__/des-is-deprecated-kotlin-snapshot.yml new file mode 100644 index 00000000..ebce9bbf --- /dev/null +++ b/tests/__snapshots__/des-is-deprecated-kotlin-snapshot.yml @@ -0,0 +1,9 @@ +id: des-is-deprecated-kotlin +snapshots: + ? | + Cipher.getInstance("DES/ECB/PKCS5Padding"); + : labels: + - source: Cipher.getInstance("DES/ECB/PKCS5Padding") + style: primary + start: 0 + end: 42 diff --git a/tests/kotlin/des-is-deprecated-kotlin-test.yml b/tests/kotlin/des-is-deprecated-kotlin-test.yml new file mode 100644 index 00000000..60949d48 --- /dev/null +++ b/tests/kotlin/des-is-deprecated-kotlin-test.yml @@ -0,0 +1,7 @@ +id: des-is-deprecated-kotlin +valid: + - | + Cipher c = Cipher.getInstance("AES/GCM/NoPadding"); +invalid: + - | + Cipher.getInstance("DES/ECB/PKCS5Padding"); From ae12535b6e15ef2a3601b30225da299b1c7bc5e8 Mon Sep 17 00:00:00 2001 From: ESS-ENN Date: Fri, 13 Sep 2024 12:53:35 +0530 Subject: [PATCH 31/37] Made changes as per suggestions of coderabbit ai bot --- .../xmlinputfactory-dtd-enabled-scala.yml | 30 +++++++++---------- .../cbc-padding-oracle-java-snapshot.yml | 7 +++++ .../no-null-cipher-java-snapshot.yml | 8 +++++ .../rsa-no-padding-java-snapshot.yml | 8 +++++ .../rsa-padding-set-scala-snapshot.yml | 7 +++++ ...nputfactory-dtd-enabled-scala-snapshot.yml | 8 +++++ tests/java/cbc-padding-oracle-java-test.yml | 2 +- tests/java/no-null-cipher-java-test.yml | 2 +- tests/java/rsa-no-padding-java-test.yml | 2 +- tests/scala/rsa-padding-set-scala-test.yml | 2 +- 10 files changed, 57 insertions(+), 19 deletions(-) diff --git a/rules/scala/security/xmlinputfactory-dtd-enabled-scala.yml b/rules/scala/security/xmlinputfactory-dtd-enabled-scala.yml index cb4d4ce4..9ba9cb7f 100644 --- a/rules/scala/security/xmlinputfactory-dtd-enabled-scala.yml +++ b/rules/scala/security/xmlinputfactory-dtd-enabled-scala.yml @@ -2,24 +2,24 @@ id: xmlinputfactory-dtd-enabled-scala language: scala severity: warning message: >- - XMLInputFactory being instantiated without calling the setProperty - functions that are generally used for disabling entity processing. User - controlled data in XML Document builder can result in XML Internal Entity - Processing vulnerabilities like the disclosure of confidential data, - denial of service, Server Side Request Forgery (SSRF), port scanning. Make - sure to disable entity processing functionality. + XMLInputFactory being instantiated without calling the setProperty + functions that are generally used for disabling entity processing. User + controlled data in XML Document builder can result in XML Internal Entity + Processing vulnerabilities like the disclosure of confidential data, + denial of service, Server Side Request Forgery (SSRF), port scanning. Make + sure to disable entity processing functionality. note: >- [CWE-611] Improper Restriction of XML External Entity. [REFERENCES] - https://owasp.org/Top10/A05_2021-Security_Misconfiguration rule: - any: - - pattern: XMLInputFactory.newFactory($$$) - - pattern: XMLInputFactory.newInstance($$$) - - pattern: new XMLInputFactory($$$) -precedes: - not: - pattern: $XMLFACTORY.setProperty($MODE, false) + any: + - pattern: XMLInputFactory.newFactory($$$) + - pattern: XMLInputFactory.newInstance($$$) + - pattern: new XMLInputFactory($$$) +precedes: + not: + pattern: $XMLFACTORY.setProperty($MODE, false) constraints: - MODE: - regex: 'javax.xml.stream.isSupportingExternalEntities' \ No newline at end of file + MODE: + regex: "javax.xml.stream.isSupportingExternalEntities" diff --git a/tests/__snapshots__/cbc-padding-oracle-java-snapshot.yml b/tests/__snapshots__/cbc-padding-oracle-java-snapshot.yml index fec2a659..12d32ee1 100644 --- a/tests/__snapshots__/cbc-padding-oracle-java-snapshot.yml +++ b/tests/__snapshots__/cbc-padding-oracle-java-snapshot.yml @@ -6,3 +6,10 @@ snapshots: style: primary start: 0 end: 42 + ? | + Cipher.getInstance("AES/CBC/PKCS5Padding"); + : labels: + - source: Cipher.getInstance("AES/CBC/PKCS5Padding") + style: primary + start: 0 + end: 42 diff --git a/tests/__snapshots__/no-null-cipher-java-snapshot.yml b/tests/__snapshots__/no-null-cipher-java-snapshot.yml index 7c9b2e87..a926152d 100644 --- a/tests/__snapshots__/no-null-cipher-java-snapshot.yml +++ b/tests/__snapshots__/no-null-cipher-java-snapshot.yml @@ -8,3 +8,11 @@ snapshots: style: primary start: 25 end: 41 + ? | + Cipher doNothingCihper = new NullCipher(); + new javax.crypto.NullCipher(); + : labels: + - source: new NullCipher() + style: primary + start: 25 + end: 41 diff --git a/tests/__snapshots__/rsa-no-padding-java-snapshot.yml b/tests/__snapshots__/rsa-no-padding-java-snapshot.yml index ce8cc115..80e65e5d 100644 --- a/tests/__snapshots__/rsa-no-padding-java-snapshot.yml +++ b/tests/__snapshots__/rsa-no-padding-java-snapshot.yml @@ -8,3 +8,11 @@ snapshots: style: primary start: 0 end: 40 + ? | + Cipher.getInstance("RSA/None/NoPadding"); + Cipher.getInstance("RSA/NONE/NoPadding"); + : labels: + - source: Cipher.getInstance("RSA/None/NoPadding") + style: primary + start: 0 + end: 40 diff --git a/tests/__snapshots__/rsa-padding-set-scala-snapshot.yml b/tests/__snapshots__/rsa-padding-set-scala-snapshot.yml index 749644a0..1274abe0 100644 --- a/tests/__snapshots__/rsa-padding-set-scala-snapshot.yml +++ b/tests/__snapshots__/rsa-padding-set-scala-snapshot.yml @@ -6,3 +6,10 @@ snapshots: style: primary start: 0 end: 39 + ? | + Cipher.getInstance("RSA/ECB/NoPadding") + : labels: + - source: Cipher.getInstance("RSA/ECB/NoPadding") + style: primary + start: 0 + end: 39 diff --git a/tests/__snapshots__/xmlinputfactory-dtd-enabled-scala-snapshot.yml b/tests/__snapshots__/xmlinputfactory-dtd-enabled-scala-snapshot.yml index 6a8392b4..ed6503fc 100644 --- a/tests/__snapshots__/xmlinputfactory-dtd-enabled-scala-snapshot.yml +++ b/tests/__snapshots__/xmlinputfactory-dtd-enabled-scala-snapshot.yml @@ -1,5 +1,13 @@ id: xmlinputfactory-dtd-enabled-scala snapshots: + ? |- + val factory = XMLInputFactory.newFactory() + val fileReader = new FileReader(file) + : labels: + - source: XMLInputFactory.newFactory() + style: primary + start: 14 + end: 42 ? |- val factory = XMLInputFactory.newFactory() val fileReader = new FileReader(file) diff --git a/tests/java/cbc-padding-oracle-java-test.yml b/tests/java/cbc-padding-oracle-java-test.yml index b54e956d..8a0336cf 100644 --- a/tests/java/cbc-padding-oracle-java-test.yml +++ b/tests/java/cbc-padding-oracle-java-test.yml @@ -4,4 +4,4 @@ valid: Cipher.getInstance("AES/GCM/NoPadding"); invalid: - | - Cipher.getInstance("AES/CBC/PKCS5Padding"); \ No newline at end of file + Cipher.getInstance("AES/CBC/PKCS5Padding"); diff --git a/tests/java/no-null-cipher-java-test.yml b/tests/java/no-null-cipher-java-test.yml index a80b1e81..ef38e9f6 100644 --- a/tests/java/no-null-cipher-java-test.yml +++ b/tests/java/no-null-cipher-java-test.yml @@ -5,4 +5,4 @@ valid: invalid: - | Cipher doNothingCihper = new NullCipher(); - new javax.crypto.NullCipher(); \ No newline at end of file + new javax.crypto.NullCipher(); diff --git a/tests/java/rsa-no-padding-java-test.yml b/tests/java/rsa-no-padding-java-test.yml index ec99d9b2..cb962e9e 100644 --- a/tests/java/rsa-no-padding-java-test.yml +++ b/tests/java/rsa-no-padding-java-test.yml @@ -5,4 +5,4 @@ valid: invalid: - | Cipher.getInstance("RSA/None/NoPadding"); - Cipher.getInstance("RSA/NONE/NoPadding"); \ No newline at end of file + Cipher.getInstance("RSA/NONE/NoPadding"); diff --git a/tests/scala/rsa-padding-set-scala-test.yml b/tests/scala/rsa-padding-set-scala-test.yml index fe203ab8..3196e148 100644 --- a/tests/scala/rsa-padding-set-scala-test.yml +++ b/tests/scala/rsa-padding-set-scala-test.yml @@ -6,4 +6,4 @@ valid: Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); invalid: - | - Cipher.getInstance("RSA/ECB/NoPadding") \ No newline at end of file + Cipher.getInstance("RSA/ECB/NoPadding") From 1326f4c2a2afccf5bb2096037cb45502610051b2 Mon Sep 17 00:00:00 2001 From: ESS-ENN Date: Fri, 13 Sep 2024 17:33:52 +0530 Subject: [PATCH 32/37] use-of-md5-java --- rules/java/security/use-of-md5-java.yml | 20 +++++++++++++++++++ .../use-of-md5-java-snapshot.yml | 9 +++++++++ tests/java/use-of-md5-java-test.yml | 7 +++++++ 3 files changed, 36 insertions(+) create mode 100644 rules/java/security/use-of-md5-java.yml create mode 100644 tests/__snapshots__/use-of-md5-java-snapshot.yml create mode 100644 tests/java/use-of-md5-java-test.yml diff --git a/rules/java/security/use-of-md5-java.yml b/rules/java/security/use-of-md5-java.yml new file mode 100644 index 00000000..a7835c21 --- /dev/null +++ b/rules/java/security/use-of-md5-java.yml @@ -0,0 +1,20 @@ +id: use-of-md5-java +severity: warning +language: java +message: >- + Detected MD5 hash algorithm which is considered insecure. MD5 is not + collision resistant and is therefore not suitable as a cryptographic + signature. Use HMAC instead. +note: >- + [CWE-328] Use of Weak Hash. + [REFERENCES] + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures +rule: + any: + - pattern: java.security.MessageDigest.getInstance($ALGO) + - pattern: java.security.MessageDigest.getInstance($ALGO, $$$) + - pattern: MessageDigest.getInstance($ALGO) + - pattern: MessageDigest.getInstance($ALGO, $$$) +constraints: + ALGO: + regex: "MD5" diff --git a/tests/__snapshots__/use-of-md5-java-snapshot.yml b/tests/__snapshots__/use-of-md5-java-snapshot.yml new file mode 100644 index 00000000..6f6c27ae --- /dev/null +++ b/tests/__snapshots__/use-of-md5-java-snapshot.yml @@ -0,0 +1,9 @@ +id: use-of-md5-java +snapshots: + ? | + MessageDigest md5Digest = MessageDigest.getInstance("MD5"); + : labels: + - source: MessageDigest.getInstance("MD5") + style: primary + start: 26 + end: 58 diff --git a/tests/java/use-of-md5-java-test.yml b/tests/java/use-of-md5-java-test.yml new file mode 100644 index 00000000..23548605 --- /dev/null +++ b/tests/java/use-of-md5-java-test.yml @@ -0,0 +1,7 @@ +id: use-of-md5-java +valid: + - | + byte[] hashValue = DigestUtils.getMd5Digest().digest(password.getBytes()); +invalid: + - | + MessageDigest md5Digest = MessageDigest.getInstance("MD5"); From d26328d1e10315870dff206a9b35fbff8b2de309 Mon Sep 17 00:00:00 2001 From: ESS-ENN Date: Fri, 13 Sep 2024 17:34:43 +0530 Subject: [PATCH 33/37] use-of-sha1-java --- rules/java/security/use-of-sha1-java.yml | 20 +++++++++++++++++++ .../use-of-sha1-java-snapshot.yml | 10 ++++++++++ tests/java/use-of-sha1-java-test.yml | 10 ++++++++++ 3 files changed, 40 insertions(+) create mode 100644 rules/java/security/use-of-sha1-java.yml create mode 100644 tests/__snapshots__/use-of-sha1-java-snapshot.yml create mode 100644 tests/java/use-of-sha1-java-test.yml diff --git a/rules/java/security/use-of-sha1-java.yml b/rules/java/security/use-of-sha1-java.yml new file mode 100644 index 00000000..1c24f3e3 --- /dev/null +++ b/rules/java/security/use-of-sha1-java.yml @@ -0,0 +1,20 @@ +id: use-of-sha1-java +language: java +severity: warning +message: >- + Detected SHA1 hash algorithm which is considered insecure. SHA1 is not + collision resistant and is therefore not suitable as a cryptographic + signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 + for other hash function applications. +note: >- + [CWE-328] Use of Weak Hash. + [REFERENCES] + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures +rule: + any: + - pattern: $DU.getSha1Digest().digest($$$) + - pattern: MessageDigest.getInstance($ALGO) + - pattern: java.security.MessageDigest.getInstance($ALGO,$$$) +constraints: + ALGO: + regex: "SHA1|SHA-1" diff --git a/tests/__snapshots__/use-of-sha1-java-snapshot.yml b/tests/__snapshots__/use-of-sha1-java-snapshot.yml new file mode 100644 index 00000000..444fe5b3 --- /dev/null +++ b/tests/__snapshots__/use-of-sha1-java-snapshot.yml @@ -0,0 +1,10 @@ +id: use-of-sha1-java +snapshots: + ? | + java.security.MessageDigest md = java.security.MessageDigest.getInstance("SHA1", "SUN"); + DigestUtils.getSha1Digest().digest(password.getBytes()); + : labels: + - source: java.security.MessageDigest.getInstance("SHA1", "SUN") + style: primary + start: 33 + end: 87 diff --git a/tests/java/use-of-sha1-java-test.yml b/tests/java/use-of-sha1-java-test.yml new file mode 100644 index 00000000..307dc641 --- /dev/null +++ b/tests/java/use-of-sha1-java-test.yml @@ -0,0 +1,10 @@ +id: use-of-sha1-java +valid: + - | + java.io.File fileTarget = new java.io.File( + new java.io.File(org.owasp.benchmark.helpers.Utils.TESTFILES_DIR), + "passwordFile.txt"); +invalid: + - | + java.security.MessageDigest md = java.security.MessageDigest.getInstance("SHA1", "SUN"); + DigestUtils.getSha1Digest().digest(password.getBytes()); From 57c1edb0690d46b12b290215e9227fc71b34cd27 Mon Sep 17 00:00:00 2001 From: ESS-ENN Date: Fri, 13 Sep 2024 17:36:09 +0530 Subject: [PATCH 34/37] system-setproperty-hardcoded-secret-kotlin --- ...em-setproperty-hardcoded-secret-kotlin.yml | 22 +++++++++++++++++++ ...perty-hardcoded-secret-kotlin-snapshot.yml | 10 +++++++++ ...tproperty-hardcoded-secret-kotlin-test.yml | 9 ++++++++ 3 files changed, 41 insertions(+) create mode 100644 rules/kotlin/security/system-setproperty-hardcoded-secret-kotlin.yml create mode 100644 tests/__snapshots__/system-setproperty-hardcoded-secret-kotlin-snapshot.yml create mode 100644 tests/kotlin/system-setproperty-hardcoded-secret-kotlin-test.yml diff --git a/rules/kotlin/security/system-setproperty-hardcoded-secret-kotlin.yml b/rules/kotlin/security/system-setproperty-hardcoded-secret-kotlin.yml new file mode 100644 index 00000000..06635555 --- /dev/null +++ b/rules/kotlin/security/system-setproperty-hardcoded-secret-kotlin.yml @@ -0,0 +1,22 @@ +id: system-setproperty-hardcoded-secret-kotlin +language: kotlin +severity: warning +message: >- + A secret is hard-coded in the application. Secrets stored in source + code, such as credentials, identifiers, and other types of sensitive data, + can be leaked and used by internal or external malicious actors. Use + environment variables to securely provide credentials and other secrets or + retrieve them from a secure vault or Hardware Security Module (HSM). +note: >- + [CWE-798]: Use of Hard-coded Credentials + [OWASP A07:2021]: Identification and Authentication Failures + [REFERENCES] + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html +rule: + all: + - any: + - pattern: System.setProperty("javax.net.ssl.keyStorePassword", $PWD); + - pattern: System.setProperty("javax.net.ssl.trustStorePassword", $PWD); +constraints: + PWD: + regex: '^"' diff --git a/tests/__snapshots__/system-setproperty-hardcoded-secret-kotlin-snapshot.yml b/tests/__snapshots__/system-setproperty-hardcoded-secret-kotlin-snapshot.yml new file mode 100644 index 00000000..0d421bce --- /dev/null +++ b/tests/__snapshots__/system-setproperty-hardcoded-secret-kotlin-snapshot.yml @@ -0,0 +1,10 @@ +id: system-setproperty-hardcoded-secret-kotlin +snapshots: + ? | + System.setProperty("javax.net.ssl.keyStorePassword", "password"); + System.setProperty("javax.net.ssl.trustStorePassword", "password"); + : labels: + - source: System.setProperty("javax.net.ssl.keyStorePassword", "password") + style: primary + start: 0 + end: 64 diff --git a/tests/kotlin/system-setproperty-hardcoded-secret-kotlin-test.yml b/tests/kotlin/system-setproperty-hardcoded-secret-kotlin-test.yml new file mode 100644 index 00000000..d66da67a --- /dev/null +++ b/tests/kotlin/system-setproperty-hardcoded-secret-kotlin-test.yml @@ -0,0 +1,9 @@ +id: system-setproperty-hardcoded-secret-kotlin +valid: + - | + System.setProperty("javax.net.ssl.trustStorePassword", config); + System.setProperty("javax.net.ssl.keyStorePassword", config); +invalid: + - | + System.setProperty("javax.net.ssl.keyStorePassword", "password"); + System.setProperty("javax.net.ssl.trustStorePassword", "password"); From b679216a45c97f47586105b83e8531ebb5cb3bd7 Mon Sep 17 00:00:00 2001 From: ESS-ENN Date: Fri, 13 Sep 2024 17:36:59 +0530 Subject: [PATCH 35/37] use-of-aes-ecb-java --- rules/java/security/use-of-aes-ecb-java.yml | 22 +++++++++++++++++++ .../use-of-aes-ecb-java-snapshot.yml | 10 +++++++++ tests/java/use-of-aes-ecb-java-test.yml | 8 +++++++ 3 files changed, 40 insertions(+) create mode 100644 rules/java/security/use-of-aes-ecb-java.yml create mode 100644 tests/__snapshots__/use-of-aes-ecb-java-snapshot.yml create mode 100644 tests/java/use-of-aes-ecb-java-test.yml diff --git a/rules/java/security/use-of-aes-ecb-java.yml b/rules/java/security/use-of-aes-ecb-java.yml new file mode 100644 index 00000000..9e28e0b2 --- /dev/null +++ b/rules/java/security/use-of-aes-ecb-java.yml @@ -0,0 +1,22 @@ +id: use-of-aes-ecb-java +language: java +severity: warning +message: >- + Use of AES with ECB mode detected. ECB doesn't provide message + confidentiality and is not semantically secure so should not be used. + Instead, use a strong, secure cipher: + Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See + https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions + for more information. +note: >- + [CWE-327]: Use of a Broken or Risky Cryptographic Algorithm + [OWASP A03:2017]: Sensitive Data Exposure + [OWASP A02:2021]: Cryptographic Failures + [REFERENCES] + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + - https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html +rule: + pattern: $CIPHER.getInstance($MATCHES) +constraints: + MATCHES: + regex: ".*AES/ECB/.*" diff --git a/tests/__snapshots__/use-of-aes-ecb-java-snapshot.yml b/tests/__snapshots__/use-of-aes-ecb-java-snapshot.yml new file mode 100644 index 00000000..6c8a701c --- /dev/null +++ b/tests/__snapshots__/use-of-aes-ecb-java-snapshot.yml @@ -0,0 +1,10 @@ +id: use-of-aes-ecb-java +snapshots: + ? | + Cipher.getInstance("AES/ECB/NoPadding") + Cipher.getInstance("AES/ECB/PKCS5Padding") + : labels: + - source: Cipher.getInstance("AES/ECB/NoPadding") + style: primary + start: 0 + end: 39 diff --git a/tests/java/use-of-aes-ecb-java-test.yml b/tests/java/use-of-aes-ecb-java-test.yml new file mode 100644 index 00000000..cd41ad9e --- /dev/null +++ b/tests/java/use-of-aes-ecb-java-test.yml @@ -0,0 +1,8 @@ +id: use-of-aes-ecb-java +valid: + - | + Cipher.getInstance("AES/CBC/PKCS7PADDING") +invalid: + - | + Cipher.getInstance("AES/ECB/NoPadding") + Cipher.getInstance("AES/ECB/PKCS5Padding") From 6ff44388f4f0a4030f478b438f5008189cad5c14 Mon Sep 17 00:00:00 2001 From: ESS-ENN Date: Fri, 13 Sep 2024 17:37:50 +0530 Subject: [PATCH 36/37] use-of-blowfish-java --- rules/java/security/use-of-blowfish-java.yml | 17 +++++++++++++++++ .../use-of-blowfish-java-snapshot.yml | 16 ++++++++++++++++ tests/java/use-of-blowfish-java-test.yml | 9 +++++++++ 3 files changed, 42 insertions(+) create mode 100644 rules/java/security/use-of-blowfish-java.yml create mode 100644 tests/__snapshots__/use-of-blowfish-java-snapshot.yml create mode 100644 tests/java/use-of-blowfish-java-test.yml diff --git a/rules/java/security/use-of-blowfish-java.yml b/rules/java/security/use-of-blowfish-java.yml new file mode 100644 index 00000000..512745a2 --- /dev/null +++ b/rules/java/security/use-of-blowfish-java.yml @@ -0,0 +1,17 @@ +id: use-of-blowfish-java +language: java +severity: info +message: >- + Use of Blowfish was detected. Blowfish uses a 64-bit block size + that makes it vulnerable to birthday attacks, and is therefore considered + non-compliant. Instead, use a strong, secure cipher: + Cipher.getInstance("AES/CBC/PKCS7PADDING"). See + https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions + for more information. +note: >- + [CWE-327] Use of a Broken or Risky Cryptographic Algorithm + [REFERENCES] + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + - https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html +rule: + pattern: $CIPHER.getInstance("Blowfish") diff --git a/tests/__snapshots__/use-of-blowfish-java-snapshot.yml b/tests/__snapshots__/use-of-blowfish-java-snapshot.yml new file mode 100644 index 00000000..cc54e7fb --- /dev/null +++ b/tests/__snapshots__/use-of-blowfish-java-snapshot.yml @@ -0,0 +1,16 @@ +id: use-of-blowfish-java +snapshots: + ? | + Cipher.getInstance("Blowfish"); + : labels: + - source: Cipher.getInstance("Blowfish") + style: primary + start: 0 + end: 30 + ? | + useCipher(Cipher.getInstance("Blowfish")); + : labels: + - source: Cipher.getInstance("Blowfish") + style: primary + start: 10 + end: 40 diff --git a/tests/java/use-of-blowfish-java-test.yml b/tests/java/use-of-blowfish-java-test.yml new file mode 100644 index 00000000..c4a43b2d --- /dev/null +++ b/tests/java/use-of-blowfish-java-test.yml @@ -0,0 +1,9 @@ +id: use-of-blowfish-java +valid: + - | + Cipher.getInstance("AES/CBC/PKCS7PADDING"); +invalid: + - | + Cipher.getInstance("Blowfish"); + - | + useCipher(Cipher.getInstance("Blowfish")); From 66dff6f5aa8907de3ba45e5c6574c06ffbc29002 Mon Sep 17 00:00:00 2001 From: ESS-ENN Date: Fri, 13 Sep 2024 18:33:16 +0530 Subject: [PATCH 37/37] Update of use-of-md5-java --- tests/java/use-of-md5-java-test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/java/use-of-md5-java-test.yml b/tests/java/use-of-md5-java-test.yml index 23548605..af34098d 100644 --- a/tests/java/use-of-md5-java-test.yml +++ b/tests/java/use-of-md5-java-test.yml @@ -1,7 +1,7 @@ id: use-of-md5-java valid: - | - byte[] hashValue = DigestUtils.getMd5Digest().digest(password.getBytes()); + MessageDigest md5Digest = MessageDigest.getInstance("SHA-512"); invalid: - | MessageDigest md5Digest = MessageDigest.getInstance("MD5");