Skip to content

Add Security Rules for Weak Cryptographic Practices in Java and Go #116

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 4 commits into from
Closed

Add Security Rules for Weak Cryptographic Practices in Java and Go #116

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
0e97f58
use-of-rc2-java
Dec 16, 2024
9d4c5fa
use-of-rc4-java
Dec 16, 2024
b6820c3
use-of-weak-rsa-key-go
Dec 16, 2024
9faf1ba
use-of-weak-rsa-key-java
Dec 16, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 34 additions & 0 deletions rules/java/security/use-of-rc2-java.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
id: use-of-rc2-java
language: java
severity: warning
message: >-
Use of RC2 was detected. RC2 is vulnerable to related-key attacks, and
is therefore considered non-compliant. Instead, use a strong, secure.
note: >-
[CWE-327] Use of a Broken or Risky Cryptographic Algorithm.
[REFERENCES]
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
- https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html
Comment on lines +10 to +11
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Update reference link

The reference to RC4 blog post is not relevant for an RC2-specific rule. Consider replacing with RC2-specific references such as:

rule:
any:
- pattern: $CIPHER.getInstance("RC2")
- pattern: $CIPHER.getInstance($R)
inside:
stopBy: end
kind: program
has:
stopBy: end
kind: local_variable_declaration
has:
stopBy: end
kind: variable_declarator
all:
- has:
stopBy: neighbor
kind: identifier
pattern: $R
- has:
stopBy: neighbor
kind: string_literal
regex: ^"RC2"$

16 changes: 16 additions & 0 deletions rules/java/security/use-of-rc4-java.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
id: use-of-rc4-java
language: java
severity: warning
message: >-
'Use of RC4 was detected. RC4 is vulnerable to several attacks,
including stream cipher attacks and bit flipping attacks. Instead, use a
strong, secure cipher: Cipher.getInstance("AES/CBC/PKCS7PADDING"). See
https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions
for more information.'
note: >-
[CWE-327] Use of a Broken or Risky Cryptographic Algorithm
[REFERENCES]
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
- https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html
rule:
pattern: $CIPHER.getInstance("RC4")
46 changes: 46 additions & 0 deletions rules/java/security/use-of-weak-rsa-key-java.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
id: use-of-weak-rsa-key-java
language: java
severity: warning
message: >-
RSA keys should be at least 2048 bits based on NIST recommendation.
note: >-
[CWE-326] Inadequate Encryption Strength.
[REFERENCES]
- https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms
utils:
WeakRSA:
kind: expression_statement
all:
- has:
stopBy: neighbor
kind: method_invocation
all:
- has:
stopBy: neighbor
kind: identifier
- has:
stopBy: neighbor
kind: identifier
regex: '^initialize$'
- has:
stopBy: neighbor
kind: argument_list
has:
stopBy: neighbor
any:
- kind: decimal_integer_literal
pattern: $AST
- kind: decimal_floating_point_literal
pattern: $AST
- kind: unary_expression
pattern: $AST
- follows:
stopBy: neighbor
pattern: KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA")

rule:
kind: expression_statement
matches: WeakRSA
constraints:
AST:
regex: '^(-?(0|[1-9][0-9]?|[1-9][0-9]{2}|1[0-9]{3}|20[0-3][0-9]|204[0-7])(\.[0-9]+)?|0|-[1-9][0-9]*|-[1-9][0-9]{2,}|-1[0-9]{3}|-20[0-3][0-9]|-204[0-7])$'
Comment on lines +41 to +46
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codebase verification

The regex pattern for RSA key size validation is incorrect and potentially dangerous

The test results reveal critical issues with the regex pattern:

  • It incorrectly accepts weak key sizes (512, 1024) that should be rejected
  • It incorrectly rejects secure key sizes (2048, 4096) that should be accepted
  • It dangerously accepts invalid values like negative numbers (-512), decimals (51.2), and zero (0)

For RSA keys, the pattern should:

  • Reject sizes below 2048 bits (current security standard)
  • Accept sizes 2048 bits and above
  • Only allow positive integers
🔗 Analysis chain

Verify the regex pattern coverage.

The regex pattern for key size validation is complex. Let's verify its coverage:

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Test regex pattern against various key sizes
echo "Testing key sizes against the regex pattern..."

test_sizes=(
  "2048"  # Valid
  "512"   # Invalid - too small
  "-512"  # Invalid - negative
  "51.2"  # Invalid - decimal
  "0"     # Invalid - zero
  "4096"  # Valid
  "1024"  # Invalid - too small
)

for size in "${test_sizes[@]}"; do
  if echo "$size" | grep -P '^(-?(0|[1-9][0-9]?|[1-9][0-9]{2}|1[0-9]{3}|20[0-3][0-9]|204[0-7])(\.[0-9]+)?|0|-[1-9][0-9]*|-[1-9][0-9]{2,}|-1[0-9]{3}|-20[0-3][0-9]|-204[0-7])$' > /dev/null; then
    echo "$size matches the pattern"
  else
    echo "$size does not match the pattern"
  fi
done

Length of output: 2033

🧰 Tools
🪛 yamllint (1.35.1)

[error] 44-44: trailing spaces

(trailing-spaces)

[warning] 45-45: wrong indentation: expected 2 but found 6

(indentation)

70 changes: 70 additions & 0 deletions tests/__snapshots__/use-of-rc2-java-snapshot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
id: use-of-rc2-java
snapshots:
? |
public void testRC2InMap() {
Map<String, Cipher> cipherMap = new HashMap<>();
cipherMap.put("RC2", Cipher.getInstance("RC2"));
}
: labels:
- source: Cipher.getInstance("RC2")
style: primary
start: 99
end: 124
? |
public void testRC2InSwitch() {
String algorithm = "RC2";
switch (algorithm) {
case "RC2":
try {
Cipher.getInstance(algorithm);
} catch (Exception e) {
e.printStackTrace();
}
break;
}
}
: labels:
- source: Cipher.getInstance(algorithm)
style: primary
start: 109
end: 138
- source: algorithm
style: secondary
start: 39
end: 48
- source: '"RC2"'
style: secondary
start: 51
end: 56
- source: algorithm = "RC2"
style: secondary
start: 39
end: 56
- source: String algorithm = "RC2";
style: secondary
start: 32
end: 57
- source: |
public void testRC2InSwitch() {
String algorithm = "RC2";
switch (algorithm) {
case "RC2":
try {
Cipher.getInstance(algorithm);
} catch (Exception e) {
e.printStackTrace();
}
break;
}
}
style: secondary
start: 0
end: 216
? |
useCipher(Cipher.getInstance("RC2"));
Cipher.getInstance("RC2");
: labels:
- source: Cipher.getInstance("RC2")
style: primary
start: 10
end: 35
16 changes: 16 additions & 0 deletions tests/__snapshots__/use-of-rc4-java-snapshot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
id: use-of-rc4-java
snapshots:
? |
Cipher.getInstance("RC4");
: labels:
- source: Cipher.getInstance("RC4")
style: primary
start: 0
end: 25
? |
useCipher(Cipher.getInstance("RC4"));
: labels:
- source: Cipher.getInstance("RC4")
style: primary
start: 10
end: 35
98 changes: 98 additions & 0 deletions tests/__snapshots__/use-of-weak-rsa-key-java-snapshot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,98 @@
id: use-of-weak-rsa-key-java
snapshots:
? |
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
keyGen.initialize(-512);
: labels:
- source: keyGen.initialize(-512);
style: primary
start: 63
end: 87
- source: keyGen
style: secondary
start: 63
end: 69
- source: initialize
style: secondary
start: 70
end: 80
- source: '-512'
style: secondary
start: 81
end: 85
- source: (-512)
style: secondary
start: 80
end: 86
- source: keyGen.initialize(-512)
style: secondary
start: 63
end: 86
- source: KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
style: secondary
start: 0
end: 62
? |
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
keyGen.initialize(51.2);
: labels:
- source: keyGen.initialize(51.2);
style: primary
start: 63
end: 87
- source: keyGen
style: secondary
start: 63
end: 69
- source: initialize
style: secondary
start: 70
end: 80
- source: '51.2'
style: secondary
start: 81
end: 85
- source: (51.2)
style: secondary
start: 80
end: 86
- source: keyGen.initialize(51.2)
style: secondary
start: 63
end: 86
- source: KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
style: secondary
start: 0
end: 62
? |
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
keyGen.initialize(512);
: labels:
- source: keyGen.initialize(512);
style: primary
start: 63
end: 86
- source: keyGen
style: secondary
start: 63
end: 69
- source: initialize
style: secondary
start: 70
end: 80
- source: '512'
style: secondary
start: 81
end: 84
- source: (512)
style: secondary
start: 80
end: 85
- source: keyGen.initialize(512)
style: secondary
start: 63
end: 85
- source: KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
style: secondary
start: 0
end: 62
39 changes: 39 additions & 0 deletions tests/java/use-of-rc2-java-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
id: use-of-rc2-java
valid:
- |
Cipher.getInstance("AES/CBC/PKCS7PADDING");
invalid:
- |
useCipher(Cipher.getInstance("RC2"));
Cipher.getInstance("RC2");
- |
public void testRC2InSwitch() {
String algorithm = "RC2";
switch (algorithm) {
case "RC2":
try {
Cipher.getInstance(algorithm);
} catch (Exception e) {
e.printStackTrace();
}
break;
}
}
- |
public void testRC2InMap() {
Map<String, Cipher> cipherMap = new HashMap<>();
cipherMap.put("RC2", Cipher.getInstance("RC2"));
}
- |
public void testRC2InSwitch() {
String algorithm = "RC2";
switch (algorithm) {
case "RC2":
try {
Cipher.getInstance(algorithm);
} catch (Exception e) {
e.printStackTrace();
}
break;
}
}
9 changes: 9 additions & 0 deletions tests/java/use-of-rc4-java-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
id: use-of-rc4-java
valid:
- |
Cipher.getInstance("AES/CBC/PKCS7PADDING");
invalid:
- |
Cipher.getInstance("RC4");
- |
useCipher(Cipher.getInstance("RC4"));
15 changes: 15 additions & 0 deletions tests/java/use-of-weak-rsa-key-java-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
id: use-of-weak-rsa-key-java
valid:
- |
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
keyGen.initialize(2048);
invalid:
- |
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
keyGen.initialize(512);
- |
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
keyGen.initialize(-512);
- |
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
keyGen.initialize(51.2);