Skip to content

Commit bc2b9aa

Browse files
ESS-ENNESS-ENN
committed
weak-ssl-context-java
1 parent d89449e commit bc2b9aa

File tree

3 files changed

+255
-0
lines changed

3 files changed

+255
-0
lines changed

rules/java/security/weak-ssl-context-java.yml

Lines changed: 79 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,79 @@
1+
id: weak-ssl-context-java
2+
language: java
3+
severity: warning
4+
message: >-
5+
'An insecure SSL context was detected. TLS versions 1.0, 1.1, and all
6+
SSL versions are considered weak encryption and are deprecated. Use
7+
SSLContext.getInstance("TLSv1.2") for the best security.'
8+
note: >-
9+
[CWE-326] Inadequate Encryption Strength
10+
[REFERENCES]
11+
- https://tools.ietf.org/html/rfc7568
12+
- https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html
13+
14+
ast-grep-essentials: true
15+
16+
# rule:
17+
# all:
18+
# - pattern: SSLContext.getInstance($CONTEXT)
19+
20+
# constraints:
21+
# CONTEXT:
22+
# any:
23+
# - kind: string_literal
24+
# has:
25+
# kind: string_fragment
26+
# all:
27+
# - not:
28+
# regex: ^TLSv1.2$
29+
# - not:
30+
# regex: ^TLSv1.3$
31+
# - kind: string_literal
32+
# not:
33+
# has:
34+
# kind: string_fragment
35+
36+
rule:
37+
kind: method_invocation
38+
not:
39+
has:
40+
stopBy: end
41+
kind: method_invocation
42+
all:
43+
- has:
44+
kind: identifier
45+
field: object
46+
nthChild: 1
47+
regex: ^SSLContext$
48+
- has:
49+
kind: identifier
50+
field: name
51+
nthChild: 2
52+
regex: ^getInstance$
53+
- has:
54+
kind: argument_list
55+
field: arguments
56+
nthChild: 3
57+
has:
58+
nthChild:
59+
position: 1
60+
ofRule:
61+
kind: string_literal
62+
any:
63+
- not:
64+
has:
65+
kind: string_fragment
66+
- has:
67+
kind: string_fragment
68+
all:
69+
- not:
70+
regex: ^TLSv1.2$
71+
- not:
72+
regex: ^TLSv1.3$
73+
not:
74+
has:
75+
nthChild:
76+
position: 2
77+
ofRule:
78+
not:
79+
kind: line_comment

tests/__snapshots__/weak-ssl-context-java-snapshot.yml

Lines changed: 157 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,157 @@
1+
id: weak-ssl-context-java
2+
snapshots:
3+
? |
4+
SSLContext ctx = SSLContext.getInstance("SSL");
5+
: labels:
6+
- source: SSLContext.getInstance("SSL")
7+
style: primary
8+
start: 17
9+
end: 46
10+
- source: SSLContext
11+
style: secondary
12+
start: 17
13+
end: 27
14+
- source: getInstance
15+
style: secondary
16+
start: 28
17+
end: 39
18+
- source: SSL
19+
style: secondary
20+
start: 41
21+
end: 44
22+
- source: SSL
23+
style: secondary
24+
start: 41
25+
end: 44
26+
- source: '"SSL"'
27+
style: secondary
28+
start: 40
29+
end: 45
30+
- source: ("SSL")
31+
style: secondary
32+
start: 39
33+
end: 46
34+
? |
35+
SSLContext ctx = SSLContext.getInstance("SSLv3");
36+
: labels:
37+
- source: SSLContext.getInstance("SSLv3")
38+
style: primary
39+
start: 17
40+
end: 48
41+
- source: SSLContext
42+
style: secondary
43+
start: 17
44+
end: 27
45+
- source: getInstance
46+
style: secondary
47+
start: 28
48+
end: 39
49+
- source: SSLv3
50+
style: secondary
51+
start: 41
52+
end: 46
53+
- source: SSLv3
54+
style: secondary
55+
start: 41
56+
end: 46
57+
- source: '"SSLv3"'
58+
style: secondary
59+
start: 40
60+
end: 47
61+
- source: ("SSLv3")
62+
style: secondary
63+
start: 39
64+
end: 48
65+
? |
66+
SSLContext ctx = SSLContext.getInstance("TLS");
67+
: labels:
68+
- source: SSLContext.getInstance("TLS")
69+
style: primary
70+
start: 17
71+
end: 46
72+
- source: SSLContext
73+
style: secondary
74+
start: 17
75+
end: 27
76+
- source: getInstance
77+
style: secondary
78+
start: 28
79+
end: 39
80+
- source: TLS
81+
style: secondary
82+
start: 41
83+
end: 44
84+
- source: TLS
85+
style: secondary
86+
start: 41
87+
end: 44
88+
- source: '"TLS"'
89+
style: secondary
90+
start: 40
91+
end: 45
92+
- source: ("TLS")
93+
style: secondary
94+
start: 39
95+
end: 46
96+
? |
97+
SSLContext ctx = SSLContext.getInstance("TLSv1");
98+
: labels:
99+
- source: SSLContext.getInstance("TLSv1")
100+
style: primary
101+
start: 17
102+
end: 48
103+
- source: SSLContext
104+
style: secondary
105+
start: 17
106+
end: 27
107+
- source: getInstance
108+
style: secondary
109+
start: 28
110+
end: 39
111+
- source: TLSv1
112+
style: secondary
113+
start: 41
114+
end: 46
115+
- source: TLSv1
116+
style: secondary
117+
start: 41
118+
end: 46
119+
- source: '"TLSv1"'
120+
style: secondary
121+
start: 40
122+
end: 47
123+
- source: ("TLSv1")
124+
style: secondary
125+
start: 39
126+
end: 48
127+
? |
128+
SSLContext ctx = SSLContext.getInstance("TLSv1.1");
129+
: labels:
130+
- source: SSLContext.getInstance("TLSv1.1")
131+
style: primary
132+
start: 17
133+
end: 50
134+
- source: SSLContext
135+
style: secondary
136+
start: 17
137+
end: 27
138+
- source: getInstance
139+
style: secondary
140+
start: 28
141+
end: 39
142+
- source: TLSv1.1
143+
style: secondary
144+
start: 41
145+
end: 48
146+
- source: TLSv1.1
147+
style: secondary
148+
start: 41
149+
end: 48
150+
- source: '"TLSv1.1"'
151+
style: secondary
152+
start: 40
153+
end: 49
154+
- source: ("TLSv1.1")
155+
style: secondary
156+
start: 39
157+
end: 50

tests/java/weak-ssl-context-java-test.yml

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
id: weak-ssl-context-java
2+
valid:
3+
- |
4+
SSLContext ctx = SSLContext.getInstance("TLSv1.2");
5+
- |
6+
SSLContext ctx = SSLContext.getInstance("TLSv1.3");
7+
- |
8+
SSLContext ctx = SSLContext.getInstance(getSslContext());
9+
invalid:
10+
- |
11+
SSLContext ctx = SSLContext.getInstance("SSL");
12+
- |
13+
SSLContext ctx = SSLContext.getInstance("TLS");
14+
- |
15+
SSLContext ctx = SSLContext.getInstance("TLSv1");
16+
- |
17+
SSLContext ctx = SSLContext.getInstance("SSLv3");
18+
- |
19+
SSLContext ctx = SSLContext.getInstance("TLSv1.1");

0 commit comments

Comments
 (0)