rspec/rules/S3329/apex/rule.adoc

== Why is this an issue?

include::../description.adoc[]

=== Noncompliant code example

[source,apex]
----
Blob cryptoKey = Crypto.generateAesKey(256);
Blob hardcoded_iv = Blob.valueOf('hardcoded IV');
Blob data = Blob.valueOf('some secret data');
Blob encryptedData = Crypto.encrypt('AES256', hardcoded_iv, key, data);  // Noncompliant, the IV is hardcoded
----

=== Compliant solution

[source,apex]
----
Blob cryptoKey = Crypto.generateAesKey(256);
Blob data = Blob.valueOf('some secret data');
Blob encryptedData = Crypto.encryptWithManagedIV('AES256', key, data);
----

== Resources

* https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[OWASP Top 10 2021 Category A2] - Cryptographic Failures
* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration
* https://cwe.mitre.org/data/definitions/329[MITRE, CWE-329] - CWE-329: Not Using an Unpredictable IV with CBC Mode
* https://cwe.mitre.org/data/definitions/330[MITRE, CWE-330] - Use of Insufficiently Random Values
* https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf[NIST, SP-800-38A] - Recommendation for Block  Cipher Modes of Operation 
* https://developer.salesforce.com/page/Apex_Crypto_Class[Using the Apex Crypto Class]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Use "encryptWithManagedIV" instead of providing a hardcoded IV


=== Highlighting

the initialization vector parameter


'''
== Comments And Links
(visible only on this page)

include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Why is this an issue?`

Add rules 3000-3999 2020-06-30 12:48:39 +02:00			`include::../description.adoc[]`

migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`=== Noncompliant code example`
Add rules 3000-3999 2020-06-30 12:48:39 +02:00
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,apex]`
Add rules 3000-3999 2020-06-30 12:48:39 +02:00			`----`
			`Blob cryptoKey = Crypto.generateAesKey(256);`
			`Blob hardcoded_iv = Blob.valueOf('hardcoded IV');`
			`Blob data = Blob.valueOf('some secret data');`
			`Blob encryptedData = Crypto.encrypt('AES256', hardcoded_iv, key, data); // Noncompliant, the IV is hardcoded`
			`----`

migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`=== Compliant solution`
Add rules 3000-3999 2020-06-30 12:48:39 +02:00
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,apex]`
Add rules 3000-3999 2020-06-30 12:48:39 +02:00			`----`
			`Blob cryptoKey = Crypto.generateAesKey(256);`
			`Blob data = Blob.valueOf('some secret data');`
			`Blob encryptedData = Crypto.encryptWithManagedIV('AES256', key, data);`
			`----`

migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Resources`
Add rules 3000-3999 2020-06-30 12:48:39 +02:00
RULEAPI-709: Security rules are mapped to the OWASP Top 10 2021 security-standard (#545) 2021-11-01 15:00:32 +01:00			`* https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[OWASP Top 10 2021 Category A2] - Cryptographic Failures`
Modify: Fix old/broken embedded links (#1100) 2022-07-08 13:58:56 +02:00			`* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration`
RULEAPI-755 Update CWE URLs by removing .html suffix and update with https protocol (#926) * Change affects only see.adoc and rule.adoc files, not comments-and-links.adoc files 2022-04-07 08:53:59 -05:00			`* https://cwe.mitre.org/data/definitions/329[MITRE, CWE-329] - CWE-329: Not Using an Unpredictable IV with CBC Mode`
			`* https://cwe.mitre.org/data/definitions/330[MITRE, CWE-330] - Use of Insufficiently Random Values`
Update rules after the fix in the export module 2021-04-26 17:29:13 +02:00			`* https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf[NIST, SP-800-38A] - Recommendation for Block Cipher Modes of Operation`
Add rules 3000-3999 2020-06-30 12:48:39 +02:00			`* https://developer.salesforce.com/page/Apex_Crypto_Class[Using the Apex Crypto Class]`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== Message`

			`Use "encryptWithManagedIV" instead of providing a hardcoded IV`


			`=== Highlighting`

			`the initialization vector parameter`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00

RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

			`include::../comments-and-links.adoc[]`
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`