gcm-nonce-reuse-java

Sakshis · Sakshis · commit 023653aa7cb8 · 2024-12-16T10:53:34.000Z
diff --git a/rules/java/security/gcm-nonce-reuse-java.yml b/rules/java/security/gcm-nonce-reuse-java.yml
@@ -0,0 +1,18 @@
+id: gcm-nonce-reuse-java
+language: java
+severity: warning
+message: >-
+  GCM IV/nonce is reused: encryption can be totally useless.
+note: >-
+  [CWE-323] Reusing a Nonce, Key Pair in Encryption.
+  [REFERENCES]
+      - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
+rule:
+  any:
+    - pattern: GCMParameterSpec $$$ = new GCMParameterSpec(GCM_TAG_LENGTH * 8, $A);
+      follows:
+        stopBy: end
+        pattern: byte[] $A = $_;
+    - pattern: new GCMParameterSpec($$$, "$$$".getBytes($$$), $$$)
+
+
diff --git a/tests/__snapshots__/gcm-nonce-reuse-java-snapshot.yml b/tests/__snapshots__/gcm-nonce-reuse-java-snapshot.yml
@@ -0,0 +1,14 @@
+id: gcm-nonce-reuse-java
+snapshots:
+  ? |
+    byte[] theBadIV = BAD_IV.getBytes();
+    GCMParameterSpec gcmParameterSpec = new GCMParameterSpec(GCM_TAG_LENGTH * 8, theBadIV);
+  : labels:
+    - source: GCMParameterSpec gcmParameterSpec = new GCMParameterSpec(GCM_TAG_LENGTH * 8, theBadIV);
+      style: primary
+      start: 37
+      end: 124
+    - source: byte[] theBadIV = BAD_IV.getBytes();
+      style: secondary
+      start: 0
+      end: 36
diff --git a/tests/java/gcm-nonce-reuse-java-test.yml b/tests/java/gcm-nonce-reuse-java-test.yml
@@ -0,0 +1,9 @@
+id: gcm-nonce-reuse-java
+valid:
+  - |
+    byte[] theBadIV = BAD_IV.getBytes();
+    GCMParameterSpec gcmParameter = new GCMParameter(GCM_TAG_LENGTH * 8, theBadIV);
+invalid:
+  - |
+    byte[] theBadIV = BAD_IV.getBytes();
+    GCMParameterSpec gcmParameterSpec = new GCMParameterSpec(GCM_TAG_LENGTH * 8, theBadIV);
