From 0e97f58624596fb9ce354daf2429f4fa53547c95 Mon Sep 17 00:00:00 2001 From: Sakshis Date: Mon, 16 Dec 2024 07:22:42 +0000 Subject: [PATCH 1/4] use-of-rc2-java --- rules/java/security/use-of-rc2-java.yml | 34 +++++++++ .../use-of-rc2-java-snapshot.yml | 70 +++++++++++++++++++ tests/java/use-of-rc2-java-test.yml | 39 +++++++++++ 3 files changed, 143 insertions(+) create mode 100644 rules/java/security/use-of-rc2-java.yml create mode 100644 tests/__snapshots__/use-of-rc2-java-snapshot.yml create mode 100644 tests/java/use-of-rc2-java-test.yml diff --git a/rules/java/security/use-of-rc2-java.yml b/rules/java/security/use-of-rc2-java.yml new file mode 100644 index 00000000..fe526344 --- /dev/null +++ b/rules/java/security/use-of-rc2-java.yml @@ -0,0 +1,34 @@ +id: use-of-rc2-java +language: java +severity: warning +message: >- + Use of RC2 was detected. RC2 is vulnerable to related-key attacks, and + is therefore considered non-compliant. Instead, use a strong, secure. +note: >- + [CWE-327] Use of a Broken or Risky Cryptographic Algorithm. + [REFERENCES] + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + - https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html +rule: + any: + - pattern: $CIPHER.getInstance("RC2") + - pattern: $CIPHER.getInstance($R) + inside: + stopBy: end + kind: program + has: + stopBy: end + kind: local_variable_declaration + has: + stopBy: end + kind: variable_declarator + all: + - has: + stopBy: neighbor + kind: identifier + pattern: $R + - has: + stopBy: neighbor + kind: string_literal + regex: ^"RC2"$ + diff --git a/tests/__snapshots__/use-of-rc2-java-snapshot.yml b/tests/__snapshots__/use-of-rc2-java-snapshot.yml new file mode 100644 index 00000000..19baa02a --- /dev/null +++ b/tests/__snapshots__/use-of-rc2-java-snapshot.yml @@ -0,0 +1,70 @@ +id: use-of-rc2-java +snapshots: + ? | + public void testRC2InMap() { + Map cipherMap = new HashMap<>(); + cipherMap.put("RC2", Cipher.getInstance("RC2")); + } + : labels: + - source: Cipher.getInstance("RC2") + style: primary + start: 99 + end: 124 + ? | + public void testRC2InSwitch() { + String algorithm = "RC2"; + switch (algorithm) { + case "RC2": + try { + Cipher.getInstance(algorithm); + } catch (Exception e) { + e.printStackTrace(); + } + break; + } + } + : labels: + - source: Cipher.getInstance(algorithm) + style: primary + start: 109 + end: 138 + - source: algorithm + style: secondary + start: 39 + end: 48 + - source: '"RC2"' + style: secondary + start: 51 + end: 56 + - source: algorithm = "RC2" + style: secondary + start: 39 + end: 56 + - source: String algorithm = "RC2"; + style: secondary + start: 32 + end: 57 + - source: | + public void testRC2InSwitch() { + String algorithm = "RC2"; + switch (algorithm) { + case "RC2": + try { + Cipher.getInstance(algorithm); + } catch (Exception e) { + e.printStackTrace(); + } + break; + } + } + style: secondary + start: 0 + end: 216 + ? | + useCipher(Cipher.getInstance("RC2")); + Cipher.getInstance("RC2"); + : labels: + - source: Cipher.getInstance("RC2") + style: primary + start: 10 + end: 35 diff --git a/tests/java/use-of-rc2-java-test.yml b/tests/java/use-of-rc2-java-test.yml new file mode 100644 index 00000000..5dd8f067 --- /dev/null +++ b/tests/java/use-of-rc2-java-test.yml @@ -0,0 +1,39 @@ +id: use-of-rc2-java +valid: + - | + Cipher.getInstance("AES/CBC/PKCS7PADDING"); +invalid: + - | + useCipher(Cipher.getInstance("RC2")); + Cipher.getInstance("RC2"); + - | + public void testRC2InSwitch() { + String algorithm = "RC2"; + switch (algorithm) { + case "RC2": + try { + Cipher.getInstance(algorithm); + } catch (Exception e) { + e.printStackTrace(); + } + break; + } + } + - | + public void testRC2InMap() { + Map cipherMap = new HashMap<>(); + cipherMap.put("RC2", Cipher.getInstance("RC2")); + } + - | + public void testRC2InSwitch() { + String algorithm = "RC2"; + switch (algorithm) { + case "RC2": + try { + Cipher.getInstance(algorithm); + } catch (Exception e) { + e.printStackTrace(); + } + break; + } + } From 9d4c5fa72509e5f7ce1b166ce77cc394795692bc Mon Sep 17 00:00:00 2001 From: Sakshis Date: Mon, 16 Dec 2024 07:24:37 +0000 Subject: [PATCH 2/4] use-of-rc4-java --- rules/java/security/use-of-rc4-java.yml | 16 ++++++++++++++++ tests/__snapshots__/use-of-rc4-java-snapshot.yml | 16 ++++++++++++++++ tests/java/use-of-rc4-java-test.yml | 9 +++++++++ 3 files changed, 41 insertions(+) create mode 100644 rules/java/security/use-of-rc4-java.yml create mode 100644 tests/__snapshots__/use-of-rc4-java-snapshot.yml create mode 100644 tests/java/use-of-rc4-java-test.yml diff --git a/rules/java/security/use-of-rc4-java.yml b/rules/java/security/use-of-rc4-java.yml new file mode 100644 index 00000000..2356d208 --- /dev/null +++ b/rules/java/security/use-of-rc4-java.yml @@ -0,0 +1,16 @@ +id: use-of-rc4-java +language: java +severity: warning +message: >- + 'Use of RC4 was detected. RC4 is vulnerable to several attacks, + including stream cipher attacks and bit flipping attacks. Instead, use a + strong, secure cipher: Cipher.getInstance("AES/CBC/PKCS7PADDING"). See + https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions + for more information.' +note: >- + [CWE-327] Use of a Broken or Risky Cryptographic Algorithm + [REFERENCES] + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + - https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html +rule: + pattern: $CIPHER.getInstance("RC4") diff --git a/tests/__snapshots__/use-of-rc4-java-snapshot.yml b/tests/__snapshots__/use-of-rc4-java-snapshot.yml new file mode 100644 index 00000000..cbf4423c --- /dev/null +++ b/tests/__snapshots__/use-of-rc4-java-snapshot.yml @@ -0,0 +1,16 @@ +id: use-of-rc4-java +snapshots: + ? | + Cipher.getInstance("RC4"); + : labels: + - source: Cipher.getInstance("RC4") + style: primary + start: 0 + end: 25 + ? | + useCipher(Cipher.getInstance("RC4")); + : labels: + - source: Cipher.getInstance("RC4") + style: primary + start: 10 + end: 35 diff --git a/tests/java/use-of-rc4-java-test.yml b/tests/java/use-of-rc4-java-test.yml new file mode 100644 index 00000000..a82db3b3 --- /dev/null +++ b/tests/java/use-of-rc4-java-test.yml @@ -0,0 +1,9 @@ +id: use-of-rc4-java +valid: + - | + Cipher.getInstance("AES/CBC/PKCS7PADDING"); +invalid: + - | + Cipher.getInstance("RC4"); + - | + useCipher(Cipher.getInstance("RC4")); From b6820c396d33d2d014bd1ed1a46089c776a1ad0f Mon Sep 17 00:00:00 2001 From: Sakshis Date: Mon, 16 Dec 2024 07:26:51 +0000 Subject: [PATCH 3/4] use-of-weak-rsa-key-go --- .../java/security/use-of-weak-rsa-key-go.yml | 37 +++++++++ .../use-of-weak-rsa-key-go-snapshot.yml | 78 +++++++++++++++++++ tests/java/use-of-weak-rsa-key-go-test.yml | 13 ++++ 3 files changed, 128 insertions(+) create mode 100644 rules/java/security/use-of-weak-rsa-key-go.yml create mode 100644 tests/__snapshots__/use-of-weak-rsa-key-go-snapshot.yml create mode 100644 tests/java/use-of-weak-rsa-key-go-test.yml diff --git a/rules/java/security/use-of-weak-rsa-key-go.yml b/rules/java/security/use-of-weak-rsa-key-go.yml new file mode 100644 index 00000000..bdb746ff --- /dev/null +++ b/rules/java/security/use-of-weak-rsa-key-go.yml @@ -0,0 +1,37 @@ +id: use-of-weak-rsa-key-go +language: go +severity: warning +message: >- + RSA keys should be at least 2048 bits. +note: >- + [CWE-326] Inadequate Encryption Strength. + [REFERENCES] + - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms +utils: + statement_match_pattern_one: + kind: expression_list + all: + - has: + stopBy: end + kind: selector_expression + pattern: $JWT + - has: + stopBy: end + kind: argument_list + - has: + stopBy: end + any: + - kind: float_literal + pattern: $BITS + - kind: int_literal + pattern: $BITS +rule: + kind: expression_list + any: + - matches: statement_match_pattern_one +constraints: + JWT: + regex: (rsa.GenerateMultiPrimeKey|rsa.GenerateKey) + + BITS: + regex: ^(-?(0|[1-9][0-9]{0,2}|1[0-9]{3}|20[0-3][0-9]|204[0-7])(\.[0-9]+)?|0|-[1-9][0-9]*|-[1-9][0-9]{2,}|-1[0-9]{3}|-20[0-3][0-9]|-204[0-7])$ diff --git a/tests/__snapshots__/use-of-weak-rsa-key-go-snapshot.yml b/tests/__snapshots__/use-of-weak-rsa-key-go-snapshot.yml new file mode 100644 index 00000000..51db96d9 --- /dev/null +++ b/tests/__snapshots__/use-of-weak-rsa-key-go-snapshot.yml @@ -0,0 +1,78 @@ +id: use-of-weak-rsa-key-go +snapshots: + ? | + pvk, err := rsa.GenerateKey(rand.Reader, -1929) + : labels: + - source: rsa.GenerateKey(rand.Reader, -1929) + style: primary + start: 12 + end: 47 + - source: rsa.GenerateKey + style: secondary + start: 12 + end: 27 + - source: (rand.Reader, -1929) + style: secondary + start: 27 + end: 47 + - source: '1929' + style: secondary + start: 42 + end: 46 + ? | + pvk, err := rsa.GenerateKey(rand.Reader, 102.5) + : labels: + - source: rsa.GenerateKey(rand.Reader, 102.5) + style: primary + start: 12 + end: 47 + - source: rsa.GenerateKey + style: secondary + start: 12 + end: 27 + - source: (rand.Reader, 102.5) + style: secondary + start: 27 + end: 47 + - source: '102.5' + style: secondary + start: 41 + end: 46 + ? | + pvk, err := rsa.GenerateKey(rand.Reader, 1025) + : labels: + - source: rsa.GenerateKey(rand.Reader, 1025) + style: primary + start: 12 + end: 46 + - source: rsa.GenerateKey + style: secondary + start: 12 + end: 27 + - source: (rand.Reader, 1025) + style: secondary + start: 27 + end: 46 + - source: '1025' + style: secondary + start: 41 + end: 45 + ? | + pvk, err := rsa.GenerateKey(rand.Reader, 192) + : labels: + - source: rsa.GenerateKey(rand.Reader, 192) + style: primary + start: 12 + end: 45 + - source: rsa.GenerateKey + style: secondary + start: 12 + end: 27 + - source: (rand.Reader, 192) + style: secondary + start: 27 + end: 45 + - source: '192' + style: secondary + start: 41 + end: 44 diff --git a/tests/java/use-of-weak-rsa-key-go-test.yml b/tests/java/use-of-weak-rsa-key-go-test.yml new file mode 100644 index 00000000..fa33ea3d --- /dev/null +++ b/tests/java/use-of-weak-rsa-key-go-test.yml @@ -0,0 +1,13 @@ +id: use-of-weak-rsa-key-go +valid: + - | + rsa.GenerateKey(rand.Reader, 2048) +invalid: + - | + pvk, err := rsa.GenerateKey(rand.Reader, 1025) + - | + pvk, err := rsa.GenerateKey(rand.Reader, -1929) + - | + pvk, err := rsa.GenerateKey(rand.Reader, 102.5) + - | + pvk, err := rsa.GenerateKey(rand.Reader, 192) From 9faf1bae0e7db608099d8eee39bb3135eeb9531d Mon Sep 17 00:00:00 2001 From: Sakshis Date: Mon, 16 Dec 2024 08:51:56 +0000 Subject: [PATCH 4/4] use-of-weak-rsa-key-java --- .../java/security/use-of-weak-rsa-key-go.yml | 37 ------- .../security/use-of-weak-rsa-key-java.yml | 46 +++++++++ .../use-of-weak-rsa-key-go-snapshot.yml | 78 --------------- .../use-of-weak-rsa-key-java-snapshot.yml | 98 +++++++++++++++++++ tests/java/use-of-weak-rsa-key-go-test.yml | 13 --- tests/java/use-of-weak-rsa-key-java-test.yml | 15 +++ 6 files changed, 159 insertions(+), 128 deletions(-) delete mode 100644 rules/java/security/use-of-weak-rsa-key-go.yml create mode 100644 rules/java/security/use-of-weak-rsa-key-java.yml delete mode 100644 tests/__snapshots__/use-of-weak-rsa-key-go-snapshot.yml create mode 100644 tests/__snapshots__/use-of-weak-rsa-key-java-snapshot.yml delete mode 100644 tests/java/use-of-weak-rsa-key-go-test.yml create mode 100644 tests/java/use-of-weak-rsa-key-java-test.yml diff --git a/rules/java/security/use-of-weak-rsa-key-go.yml b/rules/java/security/use-of-weak-rsa-key-go.yml deleted file mode 100644 index bdb746ff..00000000 --- a/rules/java/security/use-of-weak-rsa-key-go.yml +++ /dev/null @@ -1,37 +0,0 @@ -id: use-of-weak-rsa-key-go -language: go -severity: warning -message: >- - RSA keys should be at least 2048 bits. -note: >- - [CWE-326] Inadequate Encryption Strength. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms -utils: - statement_match_pattern_one: - kind: expression_list - all: - - has: - stopBy: end - kind: selector_expression - pattern: $JWT - - has: - stopBy: end - kind: argument_list - - has: - stopBy: end - any: - - kind: float_literal - pattern: $BITS - - kind: int_literal - pattern: $BITS -rule: - kind: expression_list - any: - - matches: statement_match_pattern_one -constraints: - JWT: - regex: (rsa.GenerateMultiPrimeKey|rsa.GenerateKey) - - BITS: - regex: ^(-?(0|[1-9][0-9]{0,2}|1[0-9]{3}|20[0-3][0-9]|204[0-7])(\.[0-9]+)?|0|-[1-9][0-9]*|-[1-9][0-9]{2,}|-1[0-9]{3}|-20[0-3][0-9]|-204[0-7])$ diff --git a/rules/java/security/use-of-weak-rsa-key-java.yml b/rules/java/security/use-of-weak-rsa-key-java.yml new file mode 100644 index 00000000..283489a9 --- /dev/null +++ b/rules/java/security/use-of-weak-rsa-key-java.yml @@ -0,0 +1,46 @@ +id: use-of-weak-rsa-key-java +language: java +severity: warning +message: >- + RSA keys should be at least 2048 bits based on NIST recommendation. +note: >- + [CWE-326] Inadequate Encryption Strength. + [REFERENCES] + - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms +utils: + WeakRSA: + kind: expression_statement + all: + - has: + stopBy: neighbor + kind: method_invocation + all: + - has: + stopBy: neighbor + kind: identifier + - has: + stopBy: neighbor + kind: identifier + regex: '^initialize$' + - has: + stopBy: neighbor + kind: argument_list + has: + stopBy: neighbor + any: + - kind: decimal_integer_literal + pattern: $AST + - kind: decimal_floating_point_literal + pattern: $AST + - kind: unary_expression + pattern: $AST + - follows: + stopBy: neighbor + pattern: KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA") + +rule: + kind: expression_statement + matches: WeakRSA +constraints: + AST: + regex: '^(-?(0|[1-9][0-9]?|[1-9][0-9]{2}|1[0-9]{3}|20[0-3][0-9]|204[0-7])(\.[0-9]+)?|0|-[1-9][0-9]*|-[1-9][0-9]{2,}|-1[0-9]{3}|-20[0-3][0-9]|-204[0-7])$' diff --git a/tests/__snapshots__/use-of-weak-rsa-key-go-snapshot.yml b/tests/__snapshots__/use-of-weak-rsa-key-go-snapshot.yml deleted file mode 100644 index 51db96d9..00000000 --- a/tests/__snapshots__/use-of-weak-rsa-key-go-snapshot.yml +++ /dev/null @@ -1,78 +0,0 @@ -id: use-of-weak-rsa-key-go -snapshots: - ? | - pvk, err := rsa.GenerateKey(rand.Reader, -1929) - : labels: - - source: rsa.GenerateKey(rand.Reader, -1929) - style: primary - start: 12 - end: 47 - - source: rsa.GenerateKey - style: secondary - start: 12 - end: 27 - - source: (rand.Reader, -1929) - style: secondary - start: 27 - end: 47 - - source: '1929' - style: secondary - start: 42 - end: 46 - ? | - pvk, err := rsa.GenerateKey(rand.Reader, 102.5) - : labels: - - source: rsa.GenerateKey(rand.Reader, 102.5) - style: primary - start: 12 - end: 47 - - source: rsa.GenerateKey - style: secondary - start: 12 - end: 27 - - source: (rand.Reader, 102.5) - style: secondary - start: 27 - end: 47 - - source: '102.5' - style: secondary - start: 41 - end: 46 - ? | - pvk, err := rsa.GenerateKey(rand.Reader, 1025) - : labels: - - source: rsa.GenerateKey(rand.Reader, 1025) - style: primary - start: 12 - end: 46 - - source: rsa.GenerateKey - style: secondary - start: 12 - end: 27 - - source: (rand.Reader, 1025) - style: secondary - start: 27 - end: 46 - - source: '1025' - style: secondary - start: 41 - end: 45 - ? | - pvk, err := rsa.GenerateKey(rand.Reader, 192) - : labels: - - source: rsa.GenerateKey(rand.Reader, 192) - style: primary - start: 12 - end: 45 - - source: rsa.GenerateKey - style: secondary - start: 12 - end: 27 - - source: (rand.Reader, 192) - style: secondary - start: 27 - end: 45 - - source: '192' - style: secondary - start: 41 - end: 44 diff --git a/tests/__snapshots__/use-of-weak-rsa-key-java-snapshot.yml b/tests/__snapshots__/use-of-weak-rsa-key-java-snapshot.yml new file mode 100644 index 00000000..3030dfb4 --- /dev/null +++ b/tests/__snapshots__/use-of-weak-rsa-key-java-snapshot.yml @@ -0,0 +1,98 @@ +id: use-of-weak-rsa-key-java +snapshots: + ? | + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); + keyGen.initialize(-512); + : labels: + - source: keyGen.initialize(-512); + style: primary + start: 63 + end: 87 + - source: keyGen + style: secondary + start: 63 + end: 69 + - source: initialize + style: secondary + start: 70 + end: 80 + - source: '-512' + style: secondary + start: 81 + end: 85 + - source: (-512) + style: secondary + start: 80 + end: 86 + - source: keyGen.initialize(-512) + style: secondary + start: 63 + end: 86 + - source: KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); + style: secondary + start: 0 + end: 62 + ? | + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); + keyGen.initialize(51.2); + : labels: + - source: keyGen.initialize(51.2); + style: primary + start: 63 + end: 87 + - source: keyGen + style: secondary + start: 63 + end: 69 + - source: initialize + style: secondary + start: 70 + end: 80 + - source: '51.2' + style: secondary + start: 81 + end: 85 + - source: (51.2) + style: secondary + start: 80 + end: 86 + - source: keyGen.initialize(51.2) + style: secondary + start: 63 + end: 86 + - source: KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); + style: secondary + start: 0 + end: 62 + ? | + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); + keyGen.initialize(512); + : labels: + - source: keyGen.initialize(512); + style: primary + start: 63 + end: 86 + - source: keyGen + style: secondary + start: 63 + end: 69 + - source: initialize + style: secondary + start: 70 + end: 80 + - source: '512' + style: secondary + start: 81 + end: 84 + - source: (512) + style: secondary + start: 80 + end: 85 + - source: keyGen.initialize(512) + style: secondary + start: 63 + end: 85 + - source: KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); + style: secondary + start: 0 + end: 62 diff --git a/tests/java/use-of-weak-rsa-key-go-test.yml b/tests/java/use-of-weak-rsa-key-go-test.yml deleted file mode 100644 index fa33ea3d..00000000 --- a/tests/java/use-of-weak-rsa-key-go-test.yml +++ /dev/null @@ -1,13 +0,0 @@ -id: use-of-weak-rsa-key-go -valid: - - | - rsa.GenerateKey(rand.Reader, 2048) -invalid: - - | - pvk, err := rsa.GenerateKey(rand.Reader, 1025) - - | - pvk, err := rsa.GenerateKey(rand.Reader, -1929) - - | - pvk, err := rsa.GenerateKey(rand.Reader, 102.5) - - | - pvk, err := rsa.GenerateKey(rand.Reader, 192) diff --git a/tests/java/use-of-weak-rsa-key-java-test.yml b/tests/java/use-of-weak-rsa-key-java-test.yml new file mode 100644 index 00000000..9c40f11f --- /dev/null +++ b/tests/java/use-of-weak-rsa-key-java-test.yml @@ -0,0 +1,15 @@ +id: use-of-weak-rsa-key-java +valid: + - | + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); + keyGen.initialize(2048); +invalid: + - | + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); + keyGen.initialize(512); + - | + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); + keyGen.initialize(-512); + - | + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); + keyGen.initialize(51.2);