use-of-blowfish-java

ESS-ENN · ESS-ENN · commit 6ff44388f4f0 · 2024-09-13T17:37:50.000+05:30
diff --git a/rules/java/security/use-of-blowfish-java.yml b/rules/java/security/use-of-blowfish-java.yml
@@ -0,0 +1,17 @@
+id: use-of-blowfish-java
+language: java
+severity: info
+message: >-
+  Use of Blowfish was detected. Blowfish uses a 64-bit block size
+      that  makes it vulnerable to birthday attacks, and is therefore considered
+      non-compliant.  Instead, use a strong, secure cipher:
+      Cipher.getInstance("AES/CBC/PKCS7PADDING"). See
+      https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions
+      for more information.
+note: >-
+  [CWE-327] Use of a Broken or Risky Cryptographic Algorithm
+  [REFERENCES]
+      - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
+      - https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html
+rule:
+  pattern: $CIPHER.getInstance("Blowfish")
diff --git a/tests/__snapshots__/use-of-blowfish-java-snapshot.yml b/tests/__snapshots__/use-of-blowfish-java-snapshot.yml
@@ -0,0 +1,16 @@
+id: use-of-blowfish-java
+snapshots:
+  ? |
+    Cipher.getInstance("Blowfish");
+  : labels:
+    - source: Cipher.getInstance("Blowfish")
+      style: primary
+      start: 0
+      end: 30
+  ? |
+    useCipher(Cipher.getInstance("Blowfish"));
+  : labels:
+    - source: Cipher.getInstance("Blowfish")
+      style: primary
+      start: 10
+      end: 40
diff --git a/tests/java/use-of-blowfish-java-test.yml b/tests/java/use-of-blowfish-java-test.yml
@@ -0,0 +1,9 @@
+id: use-of-blowfish-java
+valid:
+  - |
+    Cipher.getInstance("AES/CBC/PKCS7PADDING");
+invalid:
+  - |
+    Cipher.getInstance("Blowfish");
+  - |
+    useCipher(Cipher.getInstance("Blowfish"));
