Add security rules for weak encryption practices in Java and Kotlin (#82)

ESS-ENN · Sakshis · web-flow · commit a248264920ce · 2024-12-26T12:29:08.000+05:30
* des-is-deprecated-kotlin

* rsa-no-padding-java

* modification in des-is-deprecated-java

---------

Co-authored-by: Sakshis &lt;sakshil@abc.com&gt;
diff --git a/rules/java/security/des-is-deprecated-java.yml b/rules/java/security/des-is-deprecated-java.yml
@@ -11,6 +11,6 @@ note: >-
       - https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard
 rule:
   pattern: $CIPHER.getInstance($SAS)
-constraints:
+constraints: 
   SAS:
-    regex: "DES"
+    regex: ^".*/DES/.*"|"DES"|"DES/.*"$
diff --git a/rules/java/security/rsa-no-padding-java.yml b/rules/java/security/rsa-no-padding-java.yml
@@ -0,0 +1,14 @@
+id: rsa-no-padding-java
+severity: warning
+language: java
+message: >-
+  Using RSA without OAEP mode weakens the encryption.
+note: >-
+  [CWE-326] Inadequate Encryption Strength
+  [REFERENCES]
+      - https://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/
+rule:
+  pattern: $YST.getInstance($MODE)
+constraints:
+  MODE:
+    regex: 'RSA/[Nn][Oo][Nn][Ee]/NoPadding'
diff --git a/rules/kotlin/security/des-is-deprecated-kotlin.yml b/rules/kotlin/security/des-is-deprecated-kotlin.yml
@@ -0,0 +1,16 @@
+id: des-is-deprecated-kotlin
+severity: warning
+language: kotlin
+message: >-
+      DES is considered deprecated. AES is the recommended cipher. Upgrade to
+      use AES. See https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard
+      for more information.
+note: >-
+  [CWE-326] Inadequate Encryption Strength.
+  [REFERENCES]
+      - https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard
+rule:
+  pattern: $CIPHER.getInstance($SAS)
+constraints: 
+  SAS:
+    regex: ^"DES/.*"|"DES"$
diff --git a/tests/__snapshots__/des-is-deprecated-kotlin-snapshot.yml b/tests/__snapshots__/des-is-deprecated-kotlin-snapshot.yml
@@ -0,0 +1,9 @@
+id: des-is-deprecated-kotlin
+snapshots:
+  ? |
+    Cipher.getInstance("DES/ECB/PKCS5Padding");
+  : labels:
+    - source: Cipher.getInstance("DES/ECB/PKCS5Padding")
+      style: primary
+      start: 0
+      end: 42
diff --git a/tests/__snapshots__/rsa-no-padding-java-snapshot.yml b/tests/__snapshots__/rsa-no-padding-java-snapshot.yml
@@ -0,0 +1,16 @@
+id: rsa-no-padding-java
+snapshots:
+  ? |
+    Cipher.getInstance("RSA/NONE/NoPadding");
+  : labels:
+    - source: Cipher.getInstance("RSA/NONE/NoPadding")
+      style: primary
+      start: 0
+      end: 40
+  ? |
+    Cipher.getInstance("RSA/None/NoPadding");
+  : labels:
+    - source: Cipher.getInstance("RSA/None/NoPadding")
+      style: primary
+      start: 0
+      end: 40
diff --git a/tests/java/rsa-no-padding-java-test.yml b/tests/java/rsa-no-padding-java-test.yml
@@ -0,0 +1,9 @@
+id: rsa-no-padding-java
+valid:
+  - |
+    Cipher.getInstance("RSA/ECB/OAEPWithMD5AndMGF1Padding");
+invalid:
+  - |
+    Cipher.getInstance("RSA/None/NoPadding");
+  - |
+    Cipher.getInstance("RSA/NONE/NoPadding");
diff --git a/tests/kotlin/des-is-deprecated-kotlin-test.yml b/tests/kotlin/des-is-deprecated-kotlin-test.yml
@@ -0,0 +1,7 @@
+id: des-is-deprecated-kotlin
+valid:
+  - |
+    Cipher c = Cipher.getInstance("AES/GCM/NoPadding");
+invalid:
+  - |
+    Cipher.getInstance("DES/ECB/PKCS5Padding");
