Deprecated rule java:S2278 (DES) and the replacement

With Sonar EE 8.9 I have a project with an issue with a legacy cipher (DES). It is detected as a deprecated rule. The rule claims it is replaced by another. Both rules are active in the projects profile, and in fact I get hits for the new rule in other places. I wonder:

  • does the new rule find the problem as well, even if it does not show up in the issues list (i.e. is sonar only showing a (random?) rule if multiple matches and would show the other rule if I disable the deprecated one?
  • can i therefore safely remove the deprecated rule from the profile?
        private static final String SYMMETRIC_ALGORITHM = "DES"; // field
    ...
        SecretKeySpec secretKey = new SecretKeySpec(key, SYMMETRIC_ALGORITHM);
        Cipher encoder = Cipher.getInstance(SYMMETRIC_ALGORITHM);
  • Found: Use the recommended AES (Advanced Encryption Standard) instead. (java:S2278) Neither DES (Data Encryption Standard) nor DESede (3DES) should be used
  • Not Found: Use a strong cipher algorithm. (java:S5547) Cipher algorithms should be robust

The place where the new rule is found has a literal cipher, in my deprecated case it is a final, not sure if this is the difference?

Hm maybe the problem resolved itself: looks like since the profile change the scan was not running, so the new profile has the new rule and it is found.

1 Like