Skip to content

Commit 36b59a3

Browse files
ESS-ENNSakshis
ESS-ENN
and
Sakshis
authored
Add Security Rules for Detecting RC2 and RC4 Cryptographic Algorithms (#127)
* removed missing-secure-java * use-of-rc4-java * use-of-rc2-java --------- Co-authored-by: Sakshis <sakshil@abc.com>
1 parent ab08455 commit 36b59a3

File tree

6 files changed

+370
-0
lines changed

6 files changed

+370
-0
lines changed

rules/java/security/use-of-rc2-java.yml

Lines changed: 88 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,88 @@
1+
id: use-of-rc2-java
2+
language: java
3+
severity: warning
4+
message: >-
5+
Use of RC2 was detected. RC2 is vulnerable to related-key attacks, and
6+
is therefore considered non-compliant. Instead, use a strong, secure.
7+
note: >-
8+
[CWE-327] Use of a Broken or Risky Cryptographic Algorithm.
9+
[REFERENCES]
10+
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
11+
- https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html
12+
13+
utils:
14+
$CIPHER.getInstance("RC2"):
15+
kind: method_invocation
16+
all:
17+
- has:
18+
stopBy: neighbor
19+
kind: identifier
20+
nthchild: 1
21+
- has:
22+
stopBy: neighbor
23+
kind: identifier
24+
nthchild: 2
25+
regex: ^getInstance$
26+
- has:
27+
stopBy: neighbor
28+
kind: argument_list
29+
all:
30+
- has:
31+
stopBy: end
32+
kind: string_fragment
33+
regex: ^RC2$
34+
- not:
35+
has:
36+
stopBy: end
37+
kind: array_access
38+
39+
$CIPHER.getInstance("RC2")_with_instance:
40+
kind: method_invocation
41+
all:
42+
- has:
43+
stopBy: neighbor
44+
kind: identifier
45+
nthchild: 1
46+
- has:
47+
stopBy: neighbor
48+
kind: identifier
49+
nthchild: 2
50+
regex: ^getInstance$
51+
- has:
52+
stopBy: neighbor
53+
kind: argument_list
54+
has:
55+
stopBy: end
56+
kind: identifier
57+
pattern: $RC2
58+
not:
59+
inside:
60+
stopBy: end
61+
kind: array_access
62+
- inside:
63+
stopBy: end
64+
follows:
65+
stopBy: end
66+
kind: local_variable_declaration
67+
has:
68+
stopBy: end
69+
kind: variable_declarator
70+
all:
71+
- has:
72+
stopBy: neighbor
73+
kind: identifier
74+
pattern: $RC2
75+
- has:
76+
stopBy: neighbor
77+
kind: string_literal
78+
has:
79+
stopBy: neighbor
80+
kind: string_fragment
81+
regex: ^RC2$
82+
83+
84+
rule:
85+
kind: method_invocation
86+
any:
87+
- matches: $CIPHER.getInstance("RC2")
88+
- matches: $CIPHER.getInstance("RC2")_with_instance

rules/java/security/use-of-rc4-java.yml

Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,42 @@
1+
id: use-of-rc4-java
2+
language: java
3+
severity: warning
4+
message: >-
5+
'Use of RC4 was detected. RC4 is vulnerable to several attacks,
6+
including stream cipher attacks and bit flipping attacks. Instead, use a
7+
strong, secure cipher: Cipher.getInstance("AES/CBC/PKCS7PADDING"). See
8+
https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions
9+
for more information.'
10+
note: >-
11+
[CWE-327] Use of a Broken or Risky Cryptographic Algorithm
12+
[REFERENCES]
13+
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
14+
- https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html
15+
16+
rule:
17+
pattern: $CIPHER.getInstance($ARGUMENT)
18+
19+
constraints:
20+
ARGUMENT:
21+
any:
22+
- has:
23+
stopBy: end
24+
kind: string_literal
25+
has:
26+
kind: string_fragment
27+
regex: ^RC4$
28+
- kind: string_literal
29+
has:
30+
kind: string_fragment
31+
regex: ^RC4$
32+
33+
all:
34+
- not:
35+
has:
36+
nthChild: 2
37+
- not:
38+
has:
39+
stopBy: end
40+
any:
41+
- kind: array_access
42+

tests/__snapshots__/use-of-rc2-java-snapshot.yml

Lines changed: 168 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,168 @@
1+
id: use-of-rc2-java
2+
snapshots:
3+
? |
4+
public void testRC2InMap() {
5+
Map<String, Cipher> cipherMap = new HashMap<>();
6+
cipherMap.put("RC2", Cipher.getInstance("RC2"));
7+
}
8+
: labels:
9+
- source: Cipher.getInstance("RC2")
10+
style: primary
11+
start: 99
12+
end: 124
13+
- source: Cipher
14+
style: secondary
15+
start: 99
16+
end: 105
17+
- source: getInstance
18+
style: secondary
19+
start: 106
20+
end: 117
21+
- source: RC2
22+
style: secondary
23+
start: 119
24+
end: 122
25+
- source: ("RC2")
26+
style: secondary
27+
start: 117
28+
end: 124
29+
? |-
30+
public void testRC2InSwitch() {
31+
String algorithm = "RC2";
32+
switch (algorithm) {
33+
case "RC2":
34+
try {
35+
Cipher.getInstance(algorithm);
36+
} catch (Exception e) {
37+
e.printStackTrace();
38+
}
39+
break;
40+
}
41+
}
42+
: labels:
43+
- source: Cipher.getInstance(algorithm)
44+
style: primary
45+
start: 109
46+
end: 138
47+
- source: Cipher
48+
style: secondary
49+
start: 109
50+
end: 115
51+
- source: getInstance
52+
style: secondary
53+
start: 116
54+
end: 127
55+
- source: algorithm
56+
style: secondary
57+
start: 128
58+
end: 137
59+
- source: (algorithm)
60+
style: secondary
61+
start: 127
62+
end: 138
63+
- source: algorithm
64+
style: secondary
65+
start: 39
66+
end: 48
67+
- source: RC2
68+
style: secondary
69+
start: 52
70+
end: 55
71+
- source: '"RC2"'
72+
style: secondary
73+
start: 51
74+
end: 56
75+
- source: algorithm = "RC2"
76+
style: secondary
77+
start: 39
78+
end: 56
79+
- source: String algorithm = "RC2";
80+
style: secondary
81+
start: 32
82+
end: 57
83+
- source: String algorithm = "RC2";
84+
style: secondary
85+
start: 32
86+
end: 57
87+
? |
88+
public void testRC2InSwitch() {
89+
String algorithm = "RC2";
90+
switch (algorithm) {
91+
case "RC2":
92+
try {
93+
Cipher.getInstance(algorithm);
94+
} catch (Exception e) {
95+
e.printStackTrace();
96+
}
97+
break;
98+
}
99+
}
100+
: labels:
101+
- source: Cipher.getInstance(algorithm)
102+
style: primary
103+
start: 109
104+
end: 138
105+
- source: Cipher
106+
style: secondary
107+
start: 109
108+
end: 115
109+
- source: getInstance
110+
style: secondary
111+
start: 116
112+
end: 127
113+
- source: algorithm
114+
style: secondary
115+
start: 128
116+
end: 137
117+
- source: (algorithm)
118+
style: secondary
119+
start: 127
120+
end: 138
121+
- source: algorithm
122+
style: secondary
123+
start: 39
124+
end: 48
125+
- source: RC2
126+
style: secondary
127+
start: 52
128+
end: 55
129+
- source: '"RC2"'
130+
style: secondary
131+
start: 51
132+
end: 56
133+
- source: algorithm = "RC2"
134+
style: secondary
135+
start: 39
136+
end: 56
137+
- source: String algorithm = "RC2";
138+
style: secondary
139+
start: 32
140+
end: 57
141+
- source: String algorithm = "RC2";
142+
style: secondary
143+
start: 32
144+
end: 57
145+
? |
146+
useCipher(Cipher.getInstance("RC2"));
147+
Cipher.getInstance("RC2");
148+
: labels:
149+
- source: Cipher.getInstance("RC2")
150+
style: primary
151+
start: 10
152+
end: 35
153+
- source: Cipher
154+
style: secondary
155+
start: 10
156+
end: 16
157+
- source: getInstance
158+
style: secondary
159+
start: 17
160+
end: 28
161+
- source: RC2
162+
style: secondary
163+
start: 30
164+
end: 33
165+
- source: ("RC2")
166+
style: secondary
167+
start: 28
168+
end: 35

tests/__snapshots__/use-of-rc4-java-snapshot.yml

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
id: use-of-rc4-java
2+
snapshots:
3+
? |
4+
Cipher.getInstance("RC4");
5+
: labels:
6+
- source: Cipher.getInstance("RC4")
7+
style: primary
8+
start: 0
9+
end: 25
10+
- source: RC4
11+
style: secondary
12+
start: 20
13+
end: 23
14+
? |
15+
useCipher(Cipher.getInstance("RC4"));
16+
: labels:
17+
- source: Cipher.getInstance("RC4")
18+
style: primary
19+
start: 10
20+
end: 35
21+
- source: RC4
22+
style: secondary
23+
start: 30
24+
end: 33

tests/java/use-of-rc2-java-test.yml

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,39 @@
1+
id: use-of-rc2-java
2+
valid:
3+
- |
4+
Cipher.getInstance("AES/CBC/PKCS7PADDING");
5+
invalid:
6+
- |
7+
useCipher(Cipher.getInstance("RC2"));
8+
Cipher.getInstance("RC2");
9+
- |
10+
public void testRC2InSwitch() {
11+
String algorithm = "RC2";
12+
switch (algorithm) {
13+
case "RC2":
14+
try {
15+
Cipher.getInstance(algorithm);
16+
} catch (Exception e) {
17+
e.printStackTrace();
18+
}
19+
break;
20+
}
21+
}
22+
- |
23+
public void testRC2InMap() {
24+
Map<String, Cipher> cipherMap = new HashMap<>();
25+
cipherMap.put("RC2", Cipher.getInstance("RC2"));
26+
}
27+
- |
28+
public void testRC2InSwitch() {
29+
String algorithm = "RC2";
30+
switch (algorithm) {
31+
case "RC2":
32+
try {
33+
Cipher.getInstance(algorithm);
34+
} catch (Exception e) {
35+
e.printStackTrace();
36+
}
37+
break;
38+
}
39+
}

tests/java/use-of-rc4-java-test.yml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
id: use-of-rc4-java
2+
valid:
3+
- |
4+
Cipher.getInstance("AES/CBC/PKCS7PADDING");
5+
invalid:
6+
- |
7+
Cipher.getInstance("RC4");
8+
- |
9+
useCipher(Cipher.getInstance("RC4"));

0 commit comments

Comments
 (0)