Uploaded image for project: 'SonarKotlin'
  1. SonarKotlin
  2. SONARKT-5

Rule S5547 Cipher algorithms should be robust

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.0
    • Component/s: None
    • Labels:

      Description

      New rule to implement

      Like for the same rule in Java, kotlin analyzer should raise when getInstance is used with a weak algorithm.

      An algorithm is the first part of the transformation argument of getInstance method (chars before first /):

      val c1 = Cipher.getInstance("DESEDE/CBC/NoPadding") // Noncompliant (s5547)
      

      or the complete string if the transformation is not explicitly defined:

      val c1 = Cipher.getInstance("DES") // Noncompliant (s5547)
      

      Weaks algorithms:

      • DESEDE
      • DESEDEWRAP
      • DES
      • ARC4
      • ARCFOUR
      • BLOWFISH
      • RC2
      • ARC2
      • RC4

      should be case insensitive

      https://developer.android.com/guide/topics/security/cryptography

      Should also raise when using NullCipher object:

      val nc = NullCipher() // Noncompliant (s5547)
      

      code examples: https://github.com/SonarSource/security-expected-issues/pull/424

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              johann.beleites Johann Beleites
              Reporter:
              eric.therond Eric Therond (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Due:
                Created:
                Updated:
                Resolved: