An inconsistent behaviour in SonarQube S2053

Rules and Languages Report False-positive / False-negative...
1

  • What language is this for? - Java

  • Which rule? - S2053

  • Why do you believe it’s a false-positive/false-negative?

    • In the provided program, SonarQube issued a warning for line 8 but not for line 7, even though both lines are functionally equivalent. This discrepancy suggests a possible false positive or false negative in SonarQube’s analysis.

  • Are you using

    • SonarQube Server / Community Build - which version? - Lasest

  • How can we reproduce the problem? Give us a self-contained snippet of code (formatted text, no screenshots)

import javax.crypto.spec.PBEParameterSpec;

public class Main {
  public static void main(String[] args) {
    final byte[] salt1 = {115, 97, 108, 116, 121};
    final byte[] salt2 = "salty".getBytes();
    PBEParameterSpec cipherSpec1 = new PBEParameterSpec(salt1, 10000); // Noncompliant, report no warnings
    PBEParameterSpec cipherSpec2 = new PBEParameterSpec(salt2, 10000); // Noncompliant, report a warning
  }
}
6

Hi @RJerrica and welcome to these forums ! :tada:

This is indeed a common way of creating salt and we should detect that. I am going to create the necessary action items to fix this. I am pretty sure we have another detection rule which actually detects that, so.. that situation is weird.

Cheers,

Loris