rspec/rules/S5547/java/rule.adoc

include::../description.adoc[]

== Noncompliant Code Example

----
import javax.crypto.Cipher;
import java.security.NoSuchAlgorithmException;
import javax.crypto.NoSuchPaddingException;

public class test {

    public static void main(String[] args) {
      try
      {
        Cipher c1 = Cipher.getInstance("DES"); // Noncompliant: DES works with 56-bit keys allow attacks via exhaustive search
        Cipher c7 = Cipher.getInstance("DESede"); // Noncompliant: Triple DES is vulnerable to meet-in-the-middle attack
        Cipher c13 = Cipher.getInstance("RC2"); // Noncompliant: RC2 is vulnerable to a related-key attack 
        Cipher c19 = Cipher.getInstance("RC4"); // Noncompliant: vulnerable to several attacks (see https://en.wikipedia.org/wiki/RC4#Security)
        Cipher c25 = Cipher.getInstance("Blowfish"); // Noncompliant: Blowfish use a 64-bit block size makes it vulnerable to birthday attacks

        NullCipher nc = new NullCipher(); // Noncompliant: the NullCipher class provides an "identity cipher" one that does not transform or encrypt the plaintext in any way.
      }
      catch(NoSuchAlgorithmException|NoSuchPaddingException e)
      {
      }
    }
} 
----

== Compliant Solution

----
import javax.crypto.Cipher;
import java.security.NoSuchAlgorithmException;
import javax.crypto.NoSuchPaddingException;

public class test {

    public static void main(String[] args) {
      try
      {
        Cipher c31 = Cipher.getInstance("AES/GCM/NoPadding"); // Compliant
      }
      catch(NoSuchAlgorithmException|NoSuchPaddingException e)
      {
      }
    }
} 
----

== See

* https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure
* https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements[Mobile AppSec Verification Standard] - Cryptography Requirements
* https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[OWASP Mobile Top 10 2016 Category M5] - Insufficient Cryptography
* https://cwe.mitre.org/data/definitions/327.html[MITRE, CWE-327] - Use of a Broken or Risky Cryptographic Algorithm
* https://wiki.sei.cmu.edu/confluence/x/hDdGBQ[CERT, MSC61-J.] - Do not use insecure or weak cryptographic algorithms
* https://www.sans.org/top25-software-errors/#cat3[SANS Top 25] - Porous Defenses

ifdef::env-github,rspecator-view[]
'''
== Comments And Links
(visible only on this page)

include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Add missing rules because of approximative section names 2020-06-30 14:41:58 +02:00			`include::../description.adoc[]`

			`== Noncompliant Code Example`

			`----`
			`import javax.crypto.Cipher;`
			`import java.security.NoSuchAlgorithmException;`
			`import javax.crypto.NoSuchPaddingException;`

			`public class test {`

			`public static void main(String[] args) {`
			`try`
			`{`
			`Cipher c1 = Cipher.getInstance("DES"); // Noncompliant: DES works with 56-bit keys allow attacks via exhaustive search`
			`Cipher c7 = Cipher.getInstance("DESede"); // Noncompliant: Triple DES is vulnerable to meet-in-the-middle attack`
			`Cipher c13 = Cipher.getInstance("RC2"); // Noncompliant: RC2 is vulnerable to a related-key attack`
			`Cipher c19 = Cipher.getInstance("RC4"); // Noncompliant: vulnerable to several attacks (see https://en.wikipedia.org/wiki/RC4#Security)`
			`Cipher c25 = Cipher.getInstance("Blowfish"); // Noncompliant: Blowfish use a 64-bit block size makes it vulnerable to birthday attacks`

			`NullCipher nc = new NullCipher(); // Noncompliant: the NullCipher class provides an "identity cipher" one that does not transform or encrypt the plaintext in any way.`
			`}`
			`catch(NoSuchAlgorithmException\|NoSuchPaddingException e)`
			`{`
			`}`
			`}`
			`}`
			`----`

			`== Compliant Solution`

			`----`
			`import javax.crypto.Cipher;`
			`import java.security.NoSuchAlgorithmException;`
			`import javax.crypto.NoSuchPaddingException;`

			`public class test {`

			`public static void main(String[] args) {`
			`try`
			`{`
			`Cipher c31 = Cipher.getInstance("AES/GCM/NoPadding"); // Compliant`
			`}`
			`catch(NoSuchAlgorithmException\|NoSuchPaddingException e)`
			`{`
			`}`
			`}`
			`}`
			`----`

Update rules after the fix in the export module 2021-04-26 17:29:13 +02:00			`== See`

			`* https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure`
add mobile security standards, links and tags to mobile rules and add new CWEv4.4 entries (#112) 2021-06-10 10:04:10 +02:00			`* https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements[Mobile AppSec Verification Standard] - Cryptography Requirements`
			`* https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[OWASP Mobile Top 10 2016 Category M5] - Insufficient Cryptography`
Update rules after the fix in the export module 2021-04-26 17:29:13 +02:00			`* https://cwe.mitre.org/data/definitions/327.html[MITRE, CWE-327] - Use of a Broken or Risky Cryptographic Algorithm`
			`* https://wiki.sei.cmu.edu/confluence/x/hDdGBQ[CERT, MSC61-J.] - Do not use insecure or weak cryptographic algorithms`
			`* https://www.sans.org/top25-software-errors/#cat3[SANS Top 25] - Porous Defenses`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

			`include::../comments-and-links.adoc[]`
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`