Uploaded image for project: 'SonarJava'
  1. SonarJava
  2. SONARJAVA-3183

S3329 should consider the call to SecureRandom.generateSeed(...) as safe

    Details

    • Type: False-Positive
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 5.14
    • Fix Version/s: 6.1
    • Component/s: Rules
    • Labels:

      Description

      Today, S3329 is raising an issue on such code which is generating FPs on the OWASP Benchmark.

              java.security.SecureRandom random = new java.security.SecureRandom();
              byte[] iv = random.generateSeed(16); // "iv" is random thanks to SecureRandom
      
              try {
                  javax.crypto.Cipher c = javax.crypto.Cipher.getInstance("AES/CBC/PKCS5PADDING",
                          java.security.Security.getProvider("SunJCE"));
      
                  javax.crypto.SecretKey key = javax.crypto.KeyGenerator.getInstance("AES").generateKey();
                  java.security.spec.AlgorithmParameterSpec paramSpec = new javax.crypto.spec.IvParameterSpec(iv); // Compliant but an issue is raised
              } catch (Exception e) {
                  // empty on purpose
              }
      

      S3329 should not raise an issue if the "iv" is generated thanks to the call to SecureRandom.generateSeed(..).
      Today the rule is only considering SecureRandom.nextBytes: https://github.com/SonarSource/sonar-java/blob/4cb1065f405edccbb7d229633945b3c56aeab04c/java-checks/src/main/java/org/sonar/java/checks/security/CipherBlockChainingCheck.java#L70

      Reproducer: https://github.com/agigleux/analyzers-playground/blob/master/src/main/java/S3329/Reproducer_FP_S3329.java

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                quentin.jaquier Quentin Jaquier
                Reporter:
                alexandre.gigleux Alexandre Gigleux
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Due:
                  Created:
                  Updated:
                  Resolved: