Uploaded image for project: 'SonarJava'
  1. SonarJava
  2. SONARJAVA-3316

FP S5542 (EncryptionAlgorithmCheck) more secure algorithms and algorithm name using different case

    XMLWordPrintable

    Details

    • Type: False-Positive
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 6.3
    • Component/s: Rules
    • Labels:

      Description

      Rule S5542 should check the secure algorithm name without case sensitivity.

      Cipher.getInstance("RSA/None/OAEPWITHSHA-256ANDMGF1PADDING"); // Compliant
      Cipher.getInstance("RSA/None/OAEPWithSHA-256AndMGF1Padding"); // false-positive
      

      Moreover, the rule should support more secure algorithms:

      RSA/None/OAEPWITHSHA-384ANDMGF1PADDING
      RSA/None/OAEPWITHSHA-512ANDMGF1PADDING
      

      In fact for RSA algorithm, for any mode, all padding starting with "OAEP" is secure (not only "OAEPWITHSHA-256ANDMGF1PADDING" and "OAEPWithSHA-1AndMGF1Padding")

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              quentin.jaquier Quentin Jaquier
              Reporter:
              alban.auzeill Alban Auzeill
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Due:
                Created:
                Updated:
                Resolved: