With Sonar EE 8.9 I have a project with an issue with a legacy cipher (DES). It is detected as a deprecated rule. The rule claims it is replaced by another. Both rules are active in the projects profile, and in fact I get hits for the new rule in other places. I wonder:
- does the new rule find the problem as well, even if it does not show up in the issues list (i.e. is sonar only showing a (random?) rule if multiple matches and would show the other rule if I disable the deprecated one?
- can i therefore safely remove the deprecated rule from the profile?
private static final String SYMMETRIC_ALGORITHM = "DES"; // field
...
SecretKeySpec secretKey = new SecretKeySpec(key, SYMMETRIC_ALGORITHM);
Cipher encoder = Cipher.getInstance(SYMMETRIC_ALGORITHM);
- Found: Use the recommended AES (Advanced Encryption Standard) instead. (java:S2278) Neither DES (Data Encryption Standard) nor DESede (3DES) should be used
- Not Found: Use a strong cipher algorithm. (java:S5547) Cipher algorithms should be robust
The place where the new rule is found has a literal cipher, in my deprecated case it is a final, not sure if this is the difference?