A false negative about the rule S5542

Rules and Languages Report False-positive / False-negative...
,
1
  • What language is this for? - Java
  • Which rule? - S5542
  • Why do you believe it’s a false-positive/false-negative?
    • In the following code example, SonarQube should have reported a S5542 warning at line 12 because the encryption algorithm used (AES/CBC/PKCS5Padding) is weak.
  • Are you using
    • SonarQube Server / Community Build - Latest

Code Example

import java.security.NoSuchAlgorithmException;
import javax.crypto.Cipher;
import javax.crypto.NoSuchPaddingException;

public class Main {
    public static void main(String[] args) {
        processCipher("AES/CBC/PKCS5Padding");
    }

    private static void processCipher(String transformation) {
        try {
            Cipher.getInstance(transformation);
        } catch (NoSuchAlgorithmException | NoSuchPaddingException e) {
            e.printStackTrace();
        }
    }
}
4

Hi again @RJerrica,

Thanks a lot for reporting this, it seems like an FN indeed. This might be due to how we modelized string states within the detection logic.

I am going to create the necessary action items to fix this.

Cheers,

Loris