Skip to content

Commit

Permalink
Add Security Rules for Detecting RC2 and RC4 Cryptographic Algorithms (
Browse files Browse the repository at this point in the history 
…#127)

* removed missing-secure-java

* use-of-rc4-java

* use-of-rc2-java

---------

Co-authored-by: Sakshis <[email protected]>
  • Loading branch information
@ESS-ENN
ESS-ENN and Sakshis authored Jan 9, 2025
1 parent ab08455 commit 36b59a3
Show file tree
Hide file tree
Showing 6 changed files with 370 additions and 0 deletions.
88 changes: 88 additions & 0 deletions rules/java/security/use-of-rc2-java.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,88 @@
id: use-of-rc2-java
language: java
severity: warning
message: >-
Use of RC2 was detected. RC2 is vulnerable to related-key attacks, and
is therefore considered non-compliant. Instead, use a strong, secure.
note: >-
[CWE-327] Use of a Broken or Risky Cryptographic Algorithm.
[REFERENCES]
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
- https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html
utils:
$CIPHER.getInstance("RC2"):
kind: method_invocation
all:
- has:
stopBy: neighbor
kind: identifier
nthchild: 1
- has:
stopBy: neighbor
kind: identifier
nthchild: 2
regex: ^getInstance$
- has:
stopBy: neighbor
kind: argument_list
all:
- has:
stopBy: end
kind: string_fragment
regex: ^RC2$
- not:
has:
stopBy: end
kind: array_access

$CIPHER.getInstance("RC2")_with_instance:
kind: method_invocation
all:
- has:
stopBy: neighbor
kind: identifier
nthchild: 1
- has:
stopBy: neighbor
kind: identifier
nthchild: 2
regex: ^getInstance$
- has:
stopBy: neighbor
kind: argument_list
has:
stopBy: end
kind: identifier
pattern: $RC2
not:
inside:
stopBy: end
kind: array_access
- inside:
stopBy: end
follows:
stopBy: end
kind: local_variable_declaration
has:
stopBy: end
kind: variable_declarator
all:
- has:
stopBy: neighbor
kind: identifier
pattern: $RC2
- has:
stopBy: neighbor
kind: string_literal
has:
stopBy: neighbor
kind: string_fragment
regex: ^RC2$


rule:
kind: method_invocation
any:
- matches: $CIPHER.getInstance("RC2")
- matches: $CIPHER.getInstance("RC2")_with_instance
42 changes: 42 additions & 0 deletions rules/java/security/use-of-rc4-java.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
id: use-of-rc4-java
language: java
severity: warning
message: >-
'Use of RC4 was detected. RC4 is vulnerable to several attacks,
including stream cipher attacks and bit flipping attacks. Instead, use a
strong, secure cipher: Cipher.getInstance("AES/CBC/PKCS7PADDING"). See
https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions
for more information.'
note: >-
[CWE-327] Use of a Broken or Risky Cryptographic Algorithm
[REFERENCES]
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
- https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html
rule:
pattern: $CIPHER.getInstance($ARGUMENT)

constraints:
ARGUMENT:
any:
- has:
stopBy: end
kind: string_literal
has:
kind: string_fragment
regex: ^RC4$
- kind: string_literal
has:
kind: string_fragment
regex: ^RC4$

all:
- not:
has:
nthChild: 2
- not:
has:
stopBy: end
any:
- kind: array_access

168 changes: 168 additions & 0 deletions tests/__snapshots__/use-of-rc2-java-snapshot.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,168 @@
id: use-of-rc2-java
snapshots:
? |
public void testRC2InMap() {
Map<String, Cipher> cipherMap = new HashMap<>();
cipherMap.put("RC2", Cipher.getInstance("RC2"));
}
: labels:
- source: Cipher.getInstance("RC2")
style: primary
start: 99
end: 124
- source: Cipher
style: secondary
start: 99
end: 105
- source: getInstance
style: secondary
start: 106
end: 117
- source: RC2
style: secondary
start: 119
end: 122
- source: ("RC2")
style: secondary
start: 117
end: 124
? |-
public void testRC2InSwitch() {
String algorithm = "RC2";
switch (algorithm) {
case "RC2":
try {
Cipher.getInstance(algorithm);
} catch (Exception e) {
e.printStackTrace();
}
break;
}
}
: labels:
- source: Cipher.getInstance(algorithm)
style: primary
start: 109
end: 138
- source: Cipher
style: secondary
start: 109
end: 115
- source: getInstance
style: secondary
start: 116
end: 127
- source: algorithm
style: secondary
start: 128
end: 137
- source: (algorithm)
style: secondary
start: 127
end: 138
- source: algorithm
style: secondary
start: 39
end: 48
- source: RC2
style: secondary
start: 52
end: 55
- source: '"RC2"'
style: secondary
start: 51
end: 56
- source: algorithm = "RC2"
style: secondary
start: 39
end: 56
- source: String algorithm = "RC2";
style: secondary
start: 32
end: 57
- source: String algorithm = "RC2";
style: secondary
start: 32
end: 57
? |
public void testRC2InSwitch() {
String algorithm = "RC2";
switch (algorithm) {
case "RC2":
try {
Cipher.getInstance(algorithm);
} catch (Exception e) {
e.printStackTrace();
}
break;
}
}
: labels:
- source: Cipher.getInstance(algorithm)
style: primary
start: 109
end: 138
- source: Cipher
style: secondary
start: 109
end: 115
- source: getInstance
style: secondary
start: 116
end: 127
- source: algorithm
style: secondary
start: 128
end: 137
- source: (algorithm)
style: secondary
start: 127
end: 138
- source: algorithm
style: secondary
start: 39
end: 48
- source: RC2
style: secondary
start: 52
end: 55
- source: '"RC2"'
style: secondary
start: 51
end: 56
- source: algorithm = "RC2"
style: secondary
start: 39
end: 56
- source: String algorithm = "RC2";
style: secondary
start: 32
end: 57
- source: String algorithm = "RC2";
style: secondary
start: 32
end: 57
? |
useCipher(Cipher.getInstance("RC2"));
Cipher.getInstance("RC2");
: labels:
- source: Cipher.getInstance("RC2")
style: primary
start: 10
end: 35
- source: Cipher
style: secondary
start: 10
end: 16
- source: getInstance
style: secondary
start: 17
end: 28
- source: RC2
style: secondary
start: 30
end: 33
- source: ("RC2")
style: secondary
start: 28
end: 35
24 changes: 24 additions & 0 deletions tests/__snapshots__/use-of-rc4-java-snapshot.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
id: use-of-rc4-java
snapshots:
? |
Cipher.getInstance("RC4");
: labels:
- source: Cipher.getInstance("RC4")
style: primary
start: 0
end: 25
- source: RC4
style: secondary
start: 20
end: 23
? |
useCipher(Cipher.getInstance("RC4"));
: labels:
- source: Cipher.getInstance("RC4")
style: primary
start: 10
end: 35
- source: RC4
style: secondary
start: 30
end: 33
39 changes: 39 additions & 0 deletions tests/java/use-of-rc2-java-test.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
id: use-of-rc2-java
valid:
- |
Cipher.getInstance("AES/CBC/PKCS7PADDING");
invalid:
- |
useCipher(Cipher.getInstance("RC2"));
Cipher.getInstance("RC2");
- |
public void testRC2InSwitch() {
String algorithm = "RC2";
switch (algorithm) {
case "RC2":
try {
Cipher.getInstance(algorithm);
} catch (Exception e) {
e.printStackTrace();
}
break;
}
}
- |
public void testRC2InMap() {
Map<String, Cipher> cipherMap = new HashMap<>();
cipherMap.put("RC2", Cipher.getInstance("RC2"));
}
- |
public void testRC2InSwitch() {
String algorithm = "RC2";
switch (algorithm) {
case "RC2":
try {
Cipher.getInstance(algorithm);
} catch (Exception e) {
e.printStackTrace();
}
break;
}
}
9 changes: 9 additions & 0 deletions tests/java/use-of-rc4-java-test.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
id: use-of-rc4-java
valid:
- |
Cipher.getInstance("AES/CBC/PKCS7PADDING");
invalid:
- |
Cipher.getInstance("RC4");
- |
useCipher(Cipher.getInstance("RC4"));

0 comments on commit 36b59a3

Please sign in to comment.