rspec/rules/S3329/apex/rule.adoc

== Why is this an issue?

include::../description.adoc[]

=== Noncompliant code example

[source,apex]
----
Blob cryptoKey = Crypto.generateAesKey(256);
Blob hardcoded_iv = Blob.valueOf('hardcoded IV');
Blob data = Blob.valueOf('some secret data');
Blob encryptedData = Crypto.encrypt('AES256', hardcoded_iv, key, data);  // Noncompliant, the IV is hardcoded
----

=== Compliant solution

[source,apex]
----
Blob cryptoKey = Crypto.generateAesKey(256);
Blob data = Blob.valueOf('some secret data');
Blob encryptedData = Crypto.encryptWithManagedIV('AES256', key, data);
----

== Resources

* https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[OWASP Top 10 2021 Category A2] - Cryptographic Failures
* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration
* https://cwe.mitre.org/data/definitions/329[MITRE, CWE-329] - CWE-329: Not Using an Unpredictable IV with CBC Mode
* https://cwe.mitre.org/data/definitions/330[MITRE, CWE-330] - Use of Insufficiently Random Values
* https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf[NIST, SP-800-38A] - Recommendation for Block  Cipher Modes of Operation 
* https://developer.salesforce.com/page/Apex_Crypto_Class[Using the Apex Crypto Class]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Use "encryptWithManagedIV" instead of providing a hardcoded IV


=== Highlighting

the initialization vector parameter


'''
== Comments And Links
(visible only on this page)

include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]