Skip to content

Commit 65ef683

Browse files
ESS-ENNSakshis
ESS-ENN
and
Sakshis
authored
Add security rules for SHA-1, AES-ECB, and Blowfish in Java (#173)
* use-of-sha1-java * use-of-default-aes * use-of-blowfish --------- Co-authored-by: Sakshis <sakshil@abc.com>
1 parent ad565d0 commit 65ef683

9 files changed

+804
-0
lines changed

rules/java/security/use-of-blowfish-java.yml

Lines changed: 50 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,50 @@
1+
id: use-of-blowfish-java
2+
severity: warning
3+
language: java
4+
message: >-
5+
'Use of Blowfish was detected. Blowfish uses a 64-bit block size
6+
that makes it vulnerable to birthday attacks, and is therefore considered
7+
non-compliant. Instead, use a strong, secure cipher:
8+
Cipher.getInstance("AES/CBC/PKCS7PADDING"). See
9+
https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions
10+
for more information.'
11+
note: >-
12+
[CWE-327] Use of a Broken or Risky Cryptographic Algorithm.
13+
[REFERENCES]
14+
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
15+
- https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html
16+
17+
ast-grep-essentials: true
18+
rule:
19+
kind: method_invocation
20+
all:
21+
- has:
22+
kind: identifier
23+
field: name
24+
regex: ^getInstance$
25+
nthChild:
26+
position: 2
27+
reverse: true
28+
- has:
29+
kind: argument_list
30+
field: arguments
31+
nthChild:
32+
position: 1
33+
reverse: true
34+
has:
35+
nthChild:
36+
position: 1
37+
ofRule:
38+
not:
39+
kind: line_comment
40+
kind: string_literal
41+
has:
42+
kind: string_fragment
43+
regex: ^Blowfish$
44+
not:
45+
has:
46+
nthChild:
47+
position: 2
48+
ofRule:
49+
not:
50+
kind: line_comment

rules/java/security/use-of-default-aes-java.yml

Lines changed: 320 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,320 @@
1+
id: use-of-default-aes-java
2+
severity: warning
3+
language: java
4+
message: >-
5+
"Use of AES with no settings detected. By default, java.crypto.Cipher
6+
uses ECB mode. ECB doesn't provide message confidentiality and is not
7+
semantically secure so should not be used. Instead, use a strong, secure
8+
cipher: java.crypto.Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See
9+
https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions
10+
for more information."
11+
note: >-
12+
[CWE-327] Use of a Broken or Risky Cryptographic Algorithm.
13+
[REFERENCES]
14+
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
15+
- https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html
16+
17+
ast-grep-essentials: true
18+
rule:
19+
any:
20+
- kind: method_invocation
21+
all:
22+
- has:
23+
kind: field_access
24+
nthChild: 1
25+
regex: ^javax.crypto.Cipher$
26+
- has:
27+
kind: identifier
28+
nthChild: 2
29+
regex: ^getInstance$
30+
- has:
31+
kind: argument_list
32+
nthChild: 3
33+
has:
34+
pattern: $AES
35+
nthChild:
36+
position: 1
37+
ofRule:
38+
not:
39+
kind: line_comment
40+
not:
41+
has:
42+
nthChild:
43+
position: 2
44+
ofRule:
45+
not:
46+
kind: line_comment
47+
inside:
48+
stopBy: end
49+
follows:
50+
stopBy: end
51+
kind: import_declaration
52+
any:
53+
- pattern: import javax.*;
54+
- pattern: import javax;
55+
- kind: import_declaration
56+
has:
57+
stopBy: neighbor
58+
kind: scoped_identifier
59+
has:
60+
stopBy: end
61+
kind: identifier
62+
nthChild: 1
63+
regex: ^javax$
64+
- kind: method_invocation
65+
all:
66+
- has:
67+
kind: field_access
68+
nthChild: 1
69+
regex: ^crypto.Cipher$
70+
- has:
71+
kind: identifier
72+
nthChild: 2
73+
regex: ^getInstance$
74+
- has:
75+
kind: argument_list
76+
has:
77+
pattern: $AES
78+
nthChild:
79+
position: 1
80+
ofRule:
81+
not:
82+
kind: line_comment
83+
not:
84+
has:
85+
nthChild:
86+
position: 2
87+
ofRule:
88+
not:
89+
kind: line_comment
90+
inside:
91+
stopBy: end
92+
follows:
93+
stopBy: end
94+
kind: import_declaration
95+
any:
96+
- kind: import_declaration
97+
has:
98+
stopBy: neighbor
99+
kind: scoped_identifier
100+
has:
101+
stopBy: end
102+
kind: identifier
103+
nthChild: 1
104+
regex: ^javax$
105+
- pattern: import javax.crypto;
106+
- pattern: import javax.*;
107+
- kind: import_declaration
108+
has:
109+
stopBy: neighbor
110+
kind: scoped_identifier
111+
has:
112+
stopBy: end
113+
kind: identifier
114+
nthChild: 1
115+
regex: ^javax$
116+
- kind: method_invocation
117+
all:
118+
- has:
119+
kind: identifier
120+
nthChild: 1
121+
regex: ^Cipher$
122+
- has:
123+
kind: identifier
124+
nthChild: 2
125+
regex: ^getInstance$
126+
- has:
127+
kind: argument_list
128+
has:
129+
pattern: $AES
130+
nthChild:
131+
position: 1
132+
ofRule:
133+
not:
134+
kind: line_comment
135+
not:
136+
has:
137+
nthChild:
138+
position: 2
139+
ofRule:
140+
not:
141+
kind: line_comment
142+
- inside:
143+
stopBy: end
144+
follows:
145+
stopBy: end
146+
kind: import_declaration
147+
any:
148+
- pattern: import javax.crypto.*;
149+
- pattern: import javax.crypto.Cipher;
150+
- kind: import_declaration
151+
has:
152+
stopBy: neighbor
153+
kind: scoped_identifier
154+
has:
155+
stopBy: end
156+
kind: identifier
157+
nthChild: 1
158+
regex: ^javax.crypto.*$
159+
- kind: method_invocation
160+
all:
161+
- has:
162+
kind: identifier
163+
nthChild: 1
164+
pattern: $INST
165+
- has:
166+
kind: identifier
167+
nthChild: 2
168+
regex: ^getInstance$
169+
- has:
170+
kind: argument_list
171+
has:
172+
pattern: $AES
173+
nthChild:
174+
position: 1
175+
ofRule:
176+
not:
177+
kind: line_comment
178+
not:
179+
has:
180+
nthChild:
181+
position: 2
182+
ofRule:
183+
not:
184+
kind: line_comment
185+
- inside:
186+
stopBy: end
187+
follows:
188+
stopBy: end
189+
any:
190+
- kind: field_declaration
191+
- kind: local_variable_declaration
192+
all:
193+
- has:
194+
kind: scoped_type_identifier
195+
regex: ^javax.crypto.Cipher$
196+
- has:
197+
kind: variable_declarator
198+
has:
199+
kind: identifier
200+
pattern: $INST
201+
- inside:
202+
stopBy: end
203+
follows:
204+
stopBy: end
205+
kind: import_declaration
206+
any:
207+
- pattern: import javax.crypto.Cipher;
208+
- pattern: import javax;
209+
- kind: method_invocation
210+
all:
211+
- has:
212+
kind: identifier
213+
nthChild: 1
214+
pattern: $INST
215+
- has:
216+
kind: identifier
217+
nthChild: 2
218+
regex: ^getInstance$
219+
- has:
220+
kind: argument_list
221+
has:
222+
pattern: $AES
223+
nthChild:
224+
position: 1
225+
ofRule:
226+
not:
227+
kind: line_comment
228+
not:
229+
has:
230+
nthChild:
231+
position: 2
232+
ofRule:
233+
not:
234+
kind: line_comment
235+
- inside:
236+
stopBy: end
237+
follows:
238+
stopBy: end
239+
any:
240+
- kind: field_declaration
241+
- kind: local_variable_declaration
242+
all:
243+
- has:
244+
kind: scoped_type_identifier
245+
regex: ^crypto.Cipher$
246+
- has:
247+
kind: variable_declarator
248+
has:
249+
kind: identifier
250+
pattern: $INST
251+
- inside:
252+
stopBy: end
253+
follows:
254+
stopBy: end
255+
kind: import_declaration
256+
any:
257+
- pattern: import javax.*;
258+
- pattern: import javax.crypto;
259+
- pattern: import javax.crypto.Cipher;
260+
- kind: method_invocation
261+
all:
262+
- has:
263+
kind: identifier
264+
nthChild: 1
265+
pattern: $INST
266+
- has:
267+
kind: identifier
268+
nthChild: 2
269+
regex: ^getInstance$
270+
- has:
271+
kind: argument_list
272+
has:
273+
pattern: $AES
274+
nthChild:
275+
position: 1
276+
ofRule:
277+
not:
278+
kind: line_comment
279+
not:
280+
has:
281+
nthChild:
282+
position: 2
283+
ofRule:
284+
not:
285+
kind: line_comment
286+
- inside:
287+
stopBy: end
288+
follows:
289+
stopBy: end
290+
any:
291+
- kind: field_declaration
292+
- kind: local_variable_declaration
293+
all:
294+
- has:
295+
kind: type_identifier
296+
regex: ^Cipher$
297+
- has:
298+
kind: variable_declarator
299+
has:
300+
kind: identifier
301+
pattern: $INST
302+
- inside:
303+
stopBy: end
304+
follows:
305+
stopBy: end
306+
kind: import_declaration
307+
any:
308+
- pattern: import javax.crypto.Cipher;
309+
- pattern: import javax.crypto.*;
310+
not:
311+
has:
312+
stopBy: end
313+
kind: ERROR
314+
constraints:
315+
AES:
316+
kind: string_literal
317+
all:
318+
- has:
319+
kind: string_fragment
320+
regex: ^\s*(AES)\s*$

0 commit comments

Comments
 (0)