rspec/rules/S2073/rule.adoc

== Why is this an issue?

Optimal Asymmetric Encryption Padding adds an element of randomness to RSA encryption, and helps prevent partial decryption. Using RSA encryption with some other padding, or without padding yields an encrypted value that is easier for an attacker to decode.


=== Noncompliant code example

[source,text]
----
Cipher cipher = Cipher.getInstance("RSA/None/NOPADDING");  // Noncompliant
----


=== Compliant solution

[source,text]
----
Cipher cipher = Cipher.getInstance("RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING");
----


== Resources

* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures]
* CWE - https://cwe.mitre.org/data/definitions/780[CWE-780 - Use of RSA Algorithm without OAEP]
* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A7 - Security Misconfiguration]
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Why is this an issue?`

RULEAPI-617: Add Jira closed RSPECs in Github repository 2021-06-08 14:23:48 +02:00			`Optimal Asymmetric Encryption Padding adds an element of randomness to RSA encryption, and helps prevent partial decryption. Using RSA encryption with some other padding, or without padding yields an encrypted value that is easier for an attacker to decode.`


migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`=== Noncompliant code example`
RULEAPI-617: Add Jira closed RSPECs in Github repository 2021-06-08 14:23:48 +02:00
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,text]`
RULEAPI-617: Add Jira closed RSPECs in Github repository 2021-06-08 14:23:48 +02:00			`----`
			`Cipher cipher = Cipher.getInstance("RSA/None/NOPADDING"); // Noncompliant`
			`----`


migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`=== Compliant solution`
RULEAPI-617: Add Jira closed RSPECs in Github repository 2021-06-08 14:23:48 +02:00
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,text]`
RULEAPI-617: Add Jira closed RSPECs in Github repository 2021-06-08 14:23:48 +02:00			`----`
			`Cipher cipher = Cipher.getInstance("RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING");`
			`----`


migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Resources`
RULEAPI-617: Add Jira closed RSPECs in Github repository 2021-06-08 14:23:48 +02:00
Modify CWE and OWASP Top 10 links to follow standard link format (APPSEC-1134) (#3529) * Fix all CWE references * Fix all OWASP references * Fix missing CWE prefixes 2024-01-15 17:15:56 +01:00			`* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures]`
			`* CWE - https://cwe.mitre.org/data/definitions/780[CWE-780 - Use of RSA Algorithm without OAEP]`
Avoid OWASP Top 10 security-standard mismatch between metadata and description links (RULEAPI-798) (#3537) * Add check for security standard mismatch * Fix security standard mismatches * Fix Resources/Standards links for secrets rules * Fix check * Fix links and update security standard mapping * Fix maintanability issue * Apply review suggestions * Apply suggestions from code review Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com> * Fix typo Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com> --------- Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com> 2024-01-17 17:20:28 +01:00			`* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A7 - Security Misconfiguration]`
RULEAPI-617: Add Jira closed RSPECs in Github repository 2021-06-08 14:23:48 +02:00