diff --git a/rules/java/security/use-of-rc2-java.yml b/rules/java/security/use-of-rc2-java.yml new file mode 100644 index 00000000..fe526344 --- /dev/null +++ b/rules/java/security/use-of-rc2-java.yml @@ -0,0 +1,34 @@ +id: use-of-rc2-java +language: java +severity: warning +message: >- + Use of RC2 was detected. RC2 is vulnerable to related-key attacks, and + is therefore considered non-compliant. Instead, use a strong, secure. +note: >- + [CWE-327] Use of a Broken or Risky Cryptographic Algorithm. + [REFERENCES] + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + - https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html +rule: + any: + - pattern: $CIPHER.getInstance("RC2") + - pattern: $CIPHER.getInstance($R) + inside: + stopBy: end + kind: program + has: + stopBy: end + kind: local_variable_declaration + has: + stopBy: end + kind: variable_declarator + all: + - has: + stopBy: neighbor + kind: identifier + pattern: $R + - has: + stopBy: neighbor + kind: string_literal + regex: ^"RC2"$ + diff --git a/rules/java/security/use-of-rc4-java.yml b/rules/java/security/use-of-rc4-java.yml new file mode 100644 index 00000000..2356d208 --- /dev/null +++ b/rules/java/security/use-of-rc4-java.yml @@ -0,0 +1,16 @@ +id: use-of-rc4-java +language: java +severity: warning +message: >- + 'Use of RC4 was detected. RC4 is vulnerable to several attacks, + including stream cipher attacks and bit flipping attacks. Instead, use a + strong, secure cipher: Cipher.getInstance("AES/CBC/PKCS7PADDING"). See + https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions + for more information.' +note: >- + [CWE-327] Use of a Broken or Risky Cryptographic Algorithm + [REFERENCES] + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + - https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html +rule: + pattern: $CIPHER.getInstance("RC4") diff --git a/rules/java/security/use-of-weak-rsa-key-java.yml b/rules/java/security/use-of-weak-rsa-key-java.yml new file mode 100644 index 00000000..283489a9 --- /dev/null +++ b/rules/java/security/use-of-weak-rsa-key-java.yml @@ -0,0 +1,46 @@ +id: use-of-weak-rsa-key-java +language: java +severity: warning +message: >- + RSA keys should be at least 2048 bits based on NIST recommendation. +note: >- + [CWE-326] Inadequate Encryption Strength. + [REFERENCES] + - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms +utils: + WeakRSA: + kind: expression_statement + all: + - has: + stopBy: neighbor + kind: method_invocation + all: + - has: + stopBy: neighbor + kind: identifier + - has: + stopBy: neighbor + kind: identifier + regex: '^initialize$' + - has: + stopBy: neighbor + kind: argument_list + has: + stopBy: neighbor + any: + - kind: decimal_integer_literal + pattern: $AST + - kind: decimal_floating_point_literal + pattern: $AST + - kind: unary_expression + pattern: $AST + - follows: + stopBy: neighbor + pattern: KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA") + +rule: + kind: expression_statement + matches: WeakRSA +constraints: + AST: + regex: '^(-?(0|[1-9][0-9]?|[1-9][0-9]{2}|1[0-9]{3}|20[0-3][0-9]|204[0-7])(\.[0-9]+)?|0|-[1-9][0-9]*|-[1-9][0-9]{2,}|-1[0-9]{3}|-20[0-3][0-9]|-204[0-7])$' diff --git a/tests/__snapshots__/use-of-rc2-java-snapshot.yml b/tests/__snapshots__/use-of-rc2-java-snapshot.yml new file mode 100644 index 00000000..19baa02a --- /dev/null +++ b/tests/__snapshots__/use-of-rc2-java-snapshot.yml @@ -0,0 +1,70 @@ +id: use-of-rc2-java +snapshots: + ? | + public void testRC2InMap() { + Map cipherMap = new HashMap<>(); + cipherMap.put("RC2", Cipher.getInstance("RC2")); + } + : labels: + - source: Cipher.getInstance("RC2") + style: primary + start: 99 + end: 124 + ? | + public void testRC2InSwitch() { + String algorithm = "RC2"; + switch (algorithm) { + case "RC2": + try { + Cipher.getInstance(algorithm); + } catch (Exception e) { + e.printStackTrace(); + } + break; + } + } + : labels: + - source: Cipher.getInstance(algorithm) + style: primary + start: 109 + end: 138 + - source: algorithm + style: secondary + start: 39 + end: 48 + - source: '"RC2"' + style: secondary + start: 51 + end: 56 + - source: algorithm = "RC2" + style: secondary + start: 39 + end: 56 + - source: String algorithm = "RC2"; + style: secondary + start: 32 + end: 57 + - source: | + public void testRC2InSwitch() { + String algorithm = "RC2"; + switch (algorithm) { + case "RC2": + try { + Cipher.getInstance(algorithm); + } catch (Exception e) { + e.printStackTrace(); + } + break; + } + } + style: secondary + start: 0 + end: 216 + ? | + useCipher(Cipher.getInstance("RC2")); + Cipher.getInstance("RC2"); + : labels: + - source: Cipher.getInstance("RC2") + style: primary + start: 10 + end: 35 diff --git a/tests/__snapshots__/use-of-rc4-java-snapshot.yml b/tests/__snapshots__/use-of-rc4-java-snapshot.yml new file mode 100644 index 00000000..cbf4423c --- /dev/null +++ b/tests/__snapshots__/use-of-rc4-java-snapshot.yml @@ -0,0 +1,16 @@ +id: use-of-rc4-java +snapshots: + ? | + Cipher.getInstance("RC4"); + : labels: + - source: Cipher.getInstance("RC4") + style: primary + start: 0 + end: 25 + ? | + useCipher(Cipher.getInstance("RC4")); + : labels: + - source: Cipher.getInstance("RC4") + style: primary + start: 10 + end: 35 diff --git a/tests/__snapshots__/use-of-weak-rsa-key-java-snapshot.yml b/tests/__snapshots__/use-of-weak-rsa-key-java-snapshot.yml new file mode 100644 index 00000000..3030dfb4 --- /dev/null +++ b/tests/__snapshots__/use-of-weak-rsa-key-java-snapshot.yml @@ -0,0 +1,98 @@ +id: use-of-weak-rsa-key-java +snapshots: + ? | + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); + keyGen.initialize(-512); + : labels: + - source: keyGen.initialize(-512); + style: primary + start: 63 + end: 87 + - source: keyGen + style: secondary + start: 63 + end: 69 + - source: initialize + style: secondary + start: 70 + end: 80 + - source: '-512' + style: secondary + start: 81 + end: 85 + - source: (-512) + style: secondary + start: 80 + end: 86 + - source: keyGen.initialize(-512) + style: secondary + start: 63 + end: 86 + - source: KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); + style: secondary + start: 0 + end: 62 + ? | + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); + keyGen.initialize(51.2); + : labels: + - source: keyGen.initialize(51.2); + style: primary + start: 63 + end: 87 + - source: keyGen + style: secondary + start: 63 + end: 69 + - source: initialize + style: secondary + start: 70 + end: 80 + - source: '51.2' + style: secondary + start: 81 + end: 85 + - source: (51.2) + style: secondary + start: 80 + end: 86 + - source: keyGen.initialize(51.2) + style: secondary + start: 63 + end: 86 + - source: KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); + style: secondary + start: 0 + end: 62 + ? | + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); + keyGen.initialize(512); + : labels: + - source: keyGen.initialize(512); + style: primary + start: 63 + end: 86 + - source: keyGen + style: secondary + start: 63 + end: 69 + - source: initialize + style: secondary + start: 70 + end: 80 + - source: '512' + style: secondary + start: 81 + end: 84 + - source: (512) + style: secondary + start: 80 + end: 85 + - source: keyGen.initialize(512) + style: secondary + start: 63 + end: 85 + - source: KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); + style: secondary + start: 0 + end: 62 diff --git a/tests/java/use-of-rc2-java-test.yml b/tests/java/use-of-rc2-java-test.yml new file mode 100644 index 00000000..5dd8f067 --- /dev/null +++ b/tests/java/use-of-rc2-java-test.yml @@ -0,0 +1,39 @@ +id: use-of-rc2-java +valid: + - | + Cipher.getInstance("AES/CBC/PKCS7PADDING"); +invalid: + - | + useCipher(Cipher.getInstance("RC2")); + Cipher.getInstance("RC2"); + - | + public void testRC2InSwitch() { + String algorithm = "RC2"; + switch (algorithm) { + case "RC2": + try { + Cipher.getInstance(algorithm); + } catch (Exception e) { + e.printStackTrace(); + } + break; + } + } + - | + public void testRC2InMap() { + Map cipherMap = new HashMap<>(); + cipherMap.put("RC2", Cipher.getInstance("RC2")); + } + - | + public void testRC2InSwitch() { + String algorithm = "RC2"; + switch (algorithm) { + case "RC2": + try { + Cipher.getInstance(algorithm); + } catch (Exception e) { + e.printStackTrace(); + } + break; + } + } diff --git a/tests/java/use-of-rc4-java-test.yml b/tests/java/use-of-rc4-java-test.yml new file mode 100644 index 00000000..a82db3b3 --- /dev/null +++ b/tests/java/use-of-rc4-java-test.yml @@ -0,0 +1,9 @@ +id: use-of-rc4-java +valid: + - | + Cipher.getInstance("AES/CBC/PKCS7PADDING"); +invalid: + - | + Cipher.getInstance("RC4"); + - | + useCipher(Cipher.getInstance("RC4")); diff --git a/tests/java/use-of-weak-rsa-key-java-test.yml b/tests/java/use-of-weak-rsa-key-java-test.yml new file mode 100644 index 00000000..9c40f11f --- /dev/null +++ b/tests/java/use-of-weak-rsa-key-java-test.yml @@ -0,0 +1,15 @@ +id: use-of-weak-rsa-key-java +valid: + - | + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); + keyGen.initialize(2048); +invalid: + - | + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); + keyGen.initialize(512); + - | + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); + keyGen.initialize(-512); + - | + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); + keyGen.initialize(51.2);