You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description:
PMD should have reported a warning to detect the bug at line 9 because when str is assigned by a string constant in the true branch, the program will exist a security flaw.
Code Sample demonstrating the issue:
publicvoidtestHardCodedCryptoKey(booleantag) {
Stringstr;
if(tag) {
str = "Hardcoded Crypto Key1";
} else {
str = "Hardcoded Crypto Key2";
}
SecretKeySpecsecretKeySpec = newSecretKeySpec(str.getBytes(), "AES"); // should report a warning here
}
Expected outcome:
PMD should report a violation at line 9, but doesn't. This is a false-negative.
Running PMD through:[Maven]
The text was updated successfully, but these errors were encountered:
I think, that's a real false-negative. The rule currently only checks the initializer of the variable. In your code sample, the variable str is not initialized at all, so the rule doesn't see a problem.
We probably would need to enhance the rule to check all assignments to the variable as well...
adangel
changed the title
[java] Improve HardcodedCryptoKey
[java] HardcodedCryptoKey false negative with variable assignments
Jul 2, 2021
Affects PMD Version: 6.35.0
Rule:HardcodedCryptoKey
Please provide the rule name and a link to the rule documentation:
https://pmd.github.io/pmd-6.35.0/pmd_rules_java_security.html#hardcodedcryptokey
Description:
PMD should have reported a warning to detect the bug at line 9 because when str is assigned by a string constant in the true branch, the program will exist a security flaw.
Code Sample demonstrating the issue:
Expected outcome:
PMD should report a violation at line 9, but doesn't. This is a false-negative.
Running PMD through: [Maven]
The text was updated successfully, but these errors were encountered: