Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[java] HardcodedCryptoKey false negative with variable assignments #3368

Closed
ghost opened this issue Jun 29, 2021 · 3 comments · Fixed by #3544
Closed

[java] HardcodedCryptoKey false negative with variable assignments #3368

ghost opened this issue Jun 29, 2021 · 3 comments · Fixed by #3544
Assignees
@adangel
Labels
a:false-negative PMD doesn't flag a problematic piece of code
Milestone
6.40.0

Comments

@ghost
Copy link

ghost commented Jun 29, 2021
edited by ghost
Loading

Affects PMD Version: 6.35.0

Rule:HardcodedCryptoKey

Please provide the rule name and a link to the rule documentation:
https://pmd.github.io/pmd-6.35.0/pmd_rules_java_security.html#hardcodedcryptokey

Description:
PMD should have reported a warning to detect the bug at line 9 because when str is assigned by a string constant in the true branch, the program will exist a security flaw.

Code Sample demonstrating the issue:

public void testHardCodedCryptoKey(boolean tag) {       
   String str;
   if(tag) {
      str = "Hardcoded Crypto Key1";
   } else {
      str = "Hardcoded Crypto Key2";
   }
   SecretKeySpec secretKeySpec = new SecretKeySpec(str.getBytes(), "AES");  // should report a warning here
}

Expected outcome:

PMD should report a violation at line 9, but doesn't. This is a false-negative.

Running PMD through: [Maven]
@ghost ghost added the a:false-negative PMD doesn't flag a problematic piece of code label Jun 29, 2021
@ghost
Copy link
Author

ghost commented Jul 2, 2021
edited by ghost
Loading

@oowekyala, hi Clément, could you please help me check issue? Thanks!

@adangel
Copy link
Member

adangel commented Jul 2, 2021

I think, that's a real false-negative. The rule currently only checks the initializer of the variable. In your code sample, the variable str is not initialized at all, so the rule doesn't see a problem.

We probably would need to enhance the rule to check all assignments to the variable as well...

@adangel adangel changed the title [java] Improve HardcodedCryptoKey [java] HardcodedCryptoKey false negative with variable assignments Jul 2, 2021
@ghost
Copy link
Author

ghost commented Jul 5, 2021

Hi Andres, thanks for your kind and prompt reply! 👍 Hope you had a nice weekend.

@adangel adangel mentioned this issue Oct 7, 2021
Closed
@adangel adangel added this to the 6.40.0 milestone Oct 7, 2021
@adangel adangel self-assigned this Oct 7, 2021
adangel added a commit to adangel/pmd that referenced this issue Oct 7, 2021
@adangel
[java] HardcodedCryptoKey false negative with variable assignments pm…
701938d 
…d#3368
@adangel adangel mentioned this issue Oct 7, 2021
Merged
4 tasks
adangel added a commit to adangel/pmd that referenced this issue Oct 29, 2021
@adangel
Merge pull request pmd#3544 from adangel:issue-3368-hardcoded-crypto-key
9a07b81 
[java] HardcodedCryptoKey false negative with variable assignments pmd#3368

* pr-3544:
  Simplify getUsages call
  Fix stack overflow error
  [java] HardcodedCryptoKey false negative with variable assignments
pmd#3368
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@adangel adangel

Labels
a:false-negative PMD doesn't flag a problematic piece of code
Projects
None yet
Milestone
6.40.0
Development

Successfully merging a pull request may close this issue.

[java] HardcodedCryptoKey false negative with variable assignments #3368 adangel/pmd
1 participant
@adangel