Uploaded image for project: 'SonarJava'
  1. SonarJava
  2. SONARJAVA-3183

S3329 should consider the call to SecureRandom.generateSeed(...) as safe

    Details

    • Type: False-Positive
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 5.14
    • Fix Version/s: 6.1
    • Component/s: Rules
    • Labels:
      None

      Description

      Today, S3329 is raising an issue on such code which is generating FPs on the OWASP Benchmark.

              java.security.SecureRandom random = new java.security.SecureRandom();
              byte[] iv = random.generateSeed(16); // "iv" is random thanks to SecureRandom
      
              try {
                  javax.crypto.Cipher c = javax.crypto.Cipher.getInstance("AES/CBC/PKCS5PADDING",
                          java.security.Security.getProvider("SunJCE"));
      
                  javax.crypto.SecretKey key = javax.crypto.KeyGenerator.getInstance("AES").generateKey();
                  java.security.spec.AlgorithmParameterSpec paramSpec = new javax.crypto.spec.IvParameterSpec(iv); // Compliant but an issue is raised
              } catch (Exception e) {
                  // empty on purpose
              }
      

      S3329 should not raise an issue if the "iv" is generated thanks to the call to SecureRandom.generateSeed(..).
      Today the rule is only considering SecureRandom.nextBytes: https://github.com/SonarSource/sonar-java/blob/4cb1065f405edccbb7d229633945b3c56aeab04c/java-checks/src/main/java/org/sonar/java/checks/security/CipherBlockChainingCheck.java#L70

      Reproducer: https://github.com/agigleux/analyzers-playground/blob/master/src/main/java/S3329/Reproducer_FP_S3329.java

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              alexandre.gigleux Alexandre Gigleux
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: