desede-is-deprecated-java

Sakshis · Sakshis · commit 4993fa844257 · 2024-12-16T11:49:58.000Z
diff --git a/rules/java/security/desede-is-deprecated-java.yml b/rules/java/security/desede-is-deprecated-java.yml
@@ -0,0 +1,50 @@
+id: desede-is-deprecated-java
+language: java
+severity: warning
+message: >-
+    Triple DES (3DES or DESede) is considered deprecated. AES is the recommended cipher. Upgrade to use AES.
+note: >-
+  [CWE-326]: Inadequate Encryption Strength
+  [OWASP A03:2017]: Sensitive Data Exposure
+  [OWASP A02:2021]: Cryptographic Failures
+  [REFERENCES]
+      - https://find-sec-bugs.github.io/bugs.htm#TDES_USAGE
+      - https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA
+utils:
+      match_method_invocation:
+            kind: method_invocation
+            all:
+                  - has:
+                        stopBy: end
+                        kind: identifier
+                  - has:
+                        stopBy: end
+                        kind: identifier
+                        regex: '^getInstance$'
+            has:
+                  stopBy: end
+                  kind: argument_list
+                  has:
+                        stopBy: end
+                        kind: string_literal
+                        regex: 'DESede'
+      match_key_generator:
+            kind: method_invocation
+            nthChild: 1
+            all:
+            - has:
+                  stopBy: end
+                  kind: field_access
+                  field: object
+            - has:
+                  stopBy: end
+                  kind: identifier
+                  regex: '^KeyGenerator$'
+rule:
+      any:
+            - matches: match_method_invocation
+            - matches: match_key_generator
+
+                     
+            
+
diff --git a/tests/__snapshots__/desede-is-deprecated-java-snapshot.yml b/tests/__snapshots__/desede-is-deprecated-java-snapshot.yml
@@ -0,0 +1,40 @@
+id: desede-is-deprecated-java
+snapshots:
+  ? |
+    Cipher c = Cipher.getInstance("kDESede/ECB/PKCS5Padding");
+    c.init(Cipher.ENCRYPT_MODE, k, iv);
+  : labels:
+    - source: Cipher.getInstance("kDESede/ECB/PKCS5Padding")
+      style: primary
+      start: 11
+      end: 57
+    - source: Cipher
+      style: secondary
+      start: 11
+      end: 17
+    - source: getInstance
+      style: secondary
+      start: 18
+      end: 29
+    - source: '"kDESede/ECB/PKCS5Padding"'
+      style: secondary
+      start: 30
+      end: 56
+    - source: ("kDESede/ECB/PKCS5Padding")
+      style: secondary
+      start: 29
+      end: 57
+  ? "javax.crypto.SecretKey key = javax.crypto.KeyGenerator.getInstance(\"DES\").generateKey();   \n"
+  : labels:
+    - source: javax.crypto.KeyGenerator.getInstance("DES")
+      style: primary
+      start: 29
+      end: 73
+    - source: javax.crypto.KeyGenerator
+      style: secondary
+      start: 29
+      end: 54
+    - source: KeyGenerator
+      style: secondary
+      start: 42
+      end: 54
diff --git a/tests/java/desede-is-deprecated-java-test.yml b/tests/java/desede-is-deprecated-java-test.yml
@@ -0,0 +1,10 @@
+id: desede-is-deprecated-java
+valid:
+  - |
+    Cipher c = Cipher.getInstance("AES/GCM/NoPadding");
+invalid:
+  - |
+     Cipher c = Cipher.getInstance("kDESede/ECB/PKCS5Padding");
+     c.init(Cipher.ENCRYPT_MODE, k, iv);
+  - |
+    javax.crypto.SecretKey key = javax.crypto.KeyGenerator.getInstance("DES").generateKey();   
