diff --git a/rules/java/security/use-of-rc2-java.yml b/rules/java/security/use-of-rc2-java.yml new file mode 100644 index 00000000..57c344c6 --- /dev/null +++ b/rules/java/security/use-of-rc2-java.yml @@ -0,0 +1,88 @@ +id: use-of-rc2-java +language: java +severity: warning +message: >- + Use of RC2 was detected. RC2 is vulnerable to related-key attacks, and + is therefore considered non-compliant. Instead, use a strong, secure. +note: >- + [CWE-327] Use of a Broken or Risky Cryptographic Algorithm. + [REFERENCES] + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + - https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html + +utils: + $CIPHER.getInstance("RC2"): + kind: method_invocation + all: + - has: + stopBy: neighbor + kind: identifier + nthchild: 1 + - has: + stopBy: neighbor + kind: identifier + nthchild: 2 + regex: ^getInstance$ + - has: + stopBy: neighbor + kind: argument_list + all: + - has: + stopBy: end + kind: string_fragment + regex: ^RC2$ + - not: + has: + stopBy: end + kind: array_access + + $CIPHER.getInstance("RC2")_with_instance: + kind: method_invocation + all: + - has: + stopBy: neighbor + kind: identifier + nthchild: 1 + - has: + stopBy: neighbor + kind: identifier + nthchild: 2 + regex: ^getInstance$ + - has: + stopBy: neighbor + kind: argument_list + has: + stopBy: end + kind: identifier + pattern: $RC2 + not: + inside: + stopBy: end + kind: array_access + - inside: + stopBy: end + follows: + stopBy: end + kind: local_variable_declaration + has: + stopBy: end + kind: variable_declarator + all: + - has: + stopBy: neighbor + kind: identifier + pattern: $RC2 + - has: + stopBy: neighbor + kind: string_literal + has: + stopBy: neighbor + kind: string_fragment + regex: ^RC2$ + + +rule: + kind: method_invocation + any: + - matches: $CIPHER.getInstance("RC2") + - matches: $CIPHER.getInstance("RC2")_with_instance diff --git a/rules/java/security/use-of-rc4-java.yml b/rules/java/security/use-of-rc4-java.yml new file mode 100644 index 00000000..c2a33fbd --- /dev/null +++ b/rules/java/security/use-of-rc4-java.yml @@ -0,0 +1,42 @@ +id: use-of-rc4-java +language: java +severity: warning +message: >- + 'Use of RC4 was detected. RC4 is vulnerable to several attacks, + including stream cipher attacks and bit flipping attacks. Instead, use a + strong, secure cipher: Cipher.getInstance("AES/CBC/PKCS7PADDING"). See + https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions + for more information.' +note: >- + [CWE-327] Use of a Broken or Risky Cryptographic Algorithm + [REFERENCES] + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + - https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html + +rule: + pattern: $CIPHER.getInstance($ARGUMENT) + +constraints: + ARGUMENT: + any: + - has: + stopBy: end + kind: string_literal + has: + kind: string_fragment + regex: ^RC4$ + - kind: string_literal + has: + kind: string_fragment + regex: ^RC4$ + + all: + - not: + has: + nthChild: 2 + - not: + has: + stopBy: end + any: + - kind: array_access + diff --git a/tests/__snapshots__/use-of-rc2-java-snapshot.yml b/tests/__snapshots__/use-of-rc2-java-snapshot.yml new file mode 100644 index 00000000..c8361e71 --- /dev/null +++ b/tests/__snapshots__/use-of-rc2-java-snapshot.yml @@ -0,0 +1,168 @@ +id: use-of-rc2-java +snapshots: + ? | + public void testRC2InMap() { + Map cipherMap = new HashMap<>(); + cipherMap.put("RC2", Cipher.getInstance("RC2")); + } + : labels: + - source: Cipher.getInstance("RC2") + style: primary + start: 99 + end: 124 + - source: Cipher + style: secondary + start: 99 + end: 105 + - source: getInstance + style: secondary + start: 106 + end: 117 + - source: RC2 + style: secondary + start: 119 + end: 122 + - source: ("RC2") + style: secondary + start: 117 + end: 124 + ? |- + public void testRC2InSwitch() { + String algorithm = "RC2"; + switch (algorithm) { + case "RC2": + try { + Cipher.getInstance(algorithm); + } catch (Exception e) { + e.printStackTrace(); + } + break; + } + } + : labels: + - source: Cipher.getInstance(algorithm) + style: primary + start: 109 + end: 138 + - source: Cipher + style: secondary + start: 109 + end: 115 + - source: getInstance + style: secondary + start: 116 + end: 127 + - source: algorithm + style: secondary + start: 128 + end: 137 + - source: (algorithm) + style: secondary + start: 127 + end: 138 + - source: algorithm + style: secondary + start: 39 + end: 48 + - source: RC2 + style: secondary + start: 52 + end: 55 + - source: '"RC2"' + style: secondary + start: 51 + end: 56 + - source: algorithm = "RC2" + style: secondary + start: 39 + end: 56 + - source: String algorithm = "RC2"; + style: secondary + start: 32 + end: 57 + - source: String algorithm = "RC2"; + style: secondary + start: 32 + end: 57 + ? | + public void testRC2InSwitch() { + String algorithm = "RC2"; + switch (algorithm) { + case "RC2": + try { + Cipher.getInstance(algorithm); + } catch (Exception e) { + e.printStackTrace(); + } + break; + } + } + : labels: + - source: Cipher.getInstance(algorithm) + style: primary + start: 109 + end: 138 + - source: Cipher + style: secondary + start: 109 + end: 115 + - source: getInstance + style: secondary + start: 116 + end: 127 + - source: algorithm + style: secondary + start: 128 + end: 137 + - source: (algorithm) + style: secondary + start: 127 + end: 138 + - source: algorithm + style: secondary + start: 39 + end: 48 + - source: RC2 + style: secondary + start: 52 + end: 55 + - source: '"RC2"' + style: secondary + start: 51 + end: 56 + - source: algorithm = "RC2" + style: secondary + start: 39 + end: 56 + - source: String algorithm = "RC2"; + style: secondary + start: 32 + end: 57 + - source: String algorithm = "RC2"; + style: secondary + start: 32 + end: 57 + ? | + useCipher(Cipher.getInstance("RC2")); + Cipher.getInstance("RC2"); + : labels: + - source: Cipher.getInstance("RC2") + style: primary + start: 10 + end: 35 + - source: Cipher + style: secondary + start: 10 + end: 16 + - source: getInstance + style: secondary + start: 17 + end: 28 + - source: RC2 + style: secondary + start: 30 + end: 33 + - source: ("RC2") + style: secondary + start: 28 + end: 35 diff --git a/tests/__snapshots__/use-of-rc4-java-snapshot.yml b/tests/__snapshots__/use-of-rc4-java-snapshot.yml new file mode 100644 index 00000000..7aa25950 --- /dev/null +++ b/tests/__snapshots__/use-of-rc4-java-snapshot.yml @@ -0,0 +1,24 @@ +id: use-of-rc4-java +snapshots: + ? | + Cipher.getInstance("RC4"); + : labels: + - source: Cipher.getInstance("RC4") + style: primary + start: 0 + end: 25 + - source: RC4 + style: secondary + start: 20 + end: 23 + ? | + useCipher(Cipher.getInstance("RC4")); + : labels: + - source: Cipher.getInstance("RC4") + style: primary + start: 10 + end: 35 + - source: RC4 + style: secondary + start: 30 + end: 33 diff --git a/tests/java/use-of-rc2-java-test.yml b/tests/java/use-of-rc2-java-test.yml new file mode 100644 index 00000000..7b084ff7 --- /dev/null +++ b/tests/java/use-of-rc2-java-test.yml @@ -0,0 +1,39 @@ +id: use-of-rc2-java +valid: + - | + Cipher.getInstance("AES/CBC/PKCS7PADDING"); +invalid: + - | + useCipher(Cipher.getInstance("RC2")); + Cipher.getInstance("RC2"); + - | + public void testRC2InSwitch() { + String algorithm = "RC2"; + switch (algorithm) { + case "RC2": + try { + Cipher.getInstance(algorithm); + } catch (Exception e) { + e.printStackTrace(); + } + break; + } + } + - | + public void testRC2InMap() { + Map cipherMap = new HashMap<>(); + cipherMap.put("RC2", Cipher.getInstance("RC2")); + } + - | + public void testRC2InSwitch() { + String algorithm = "RC2"; + switch (algorithm) { + case "RC2": + try { + Cipher.getInstance(algorithm); + } catch (Exception e) { + e.printStackTrace(); + } + break; + } + } \ No newline at end of file diff --git a/tests/java/use-of-rc4-java-test.yml b/tests/java/use-of-rc4-java-test.yml new file mode 100644 index 00000000..a82db3b3 --- /dev/null +++ b/tests/java/use-of-rc4-java-test.yml @@ -0,0 +1,9 @@ +id: use-of-rc4-java +valid: + - | + Cipher.getInstance("AES/CBC/PKCS7PADDING"); +invalid: + - | + Cipher.getInstance("RC4"); + - | + useCipher(Cipher.getInstance("RC4"));