False Negative: Weak Algorithm Spec with String replace to be used with Cipher not reported

We ran SonarQube with Java to scan the following code snippet:

package com.minimals.Cipher.stringReplace;
import java.security.NoSuchAlgorithmException;

import javax.crypto.Cipher;
import javax.crypto.NoSuchPaddingException;

public class CipherExample  {
    public static void main(String[] args) 
    throws NoSuchAlgorithmException, NoSuchPaddingException {
        Cipher c = Cipher.getInstance("DE$S".replace("$", ""));

        System.out.println(c.getAlgorithm());
    }
}

We scanned the source Java file using the docker. The command we used is:

sonar-scanner \
  -Dsonar.projectKey={PROJECT NAME} \
  -Dsonar.sources=. \
  -Dsonar.host.url=http://localhost:9000 \
  -Dsonar.login={PROJECT KEY}

However, while it is possible to statically compute the value to be passed to Cipher.getInstance(), SonarQube does not report it.

Of course, SonarQube reports the issue when DES is used directly, such as:

Cipher c = Cipher.getInstance("DES");

in a similar source file.

Which is why I think it is a false negative.

Additional Details

Language: Java
Rule: java:S5547, java:S5542
Product Details:
SonarQube Community Edition Version - 9.6.1
Sonar Scanner Version - 4.7
Java Version - Java 11.0.14.1 Eclipse Adoptium (64-bit)
Operating System - MacOS Monterey version 12.6
SonarQube Community Edition Version - 9.6.1
Sonar Scanner Version - 4.7
Java Version - Java 11.0.14.1 Eclipse Adoptium (64-bit)
Operating System - MacOS Monterey version 12.6

Hi,

Thanks for this report!

SonarQube 9.6 is officially EOL. Can you upgrade to the Latest / current LTS: 9.9, and see if this is still replicable?

I know I’ve replied the same thing to two three of your posts in a row, but we really do make strides with each release so we need to be sure this is still a problem in the current version first.

Thx,
Ann

Hi Ann,

I know I just replied something similar in another post. I can confirm that this issue also still persists on SonarQube 9.9 and is replicable. Let me know if there is any other information you or the team may need.

Thanks,
Scott

1 Like

Thanks for the report @scttmars.

Because this looks very similar to this community post, I have taken the liberty to amend the ticket to cover calls to replace.

Cheers,

Dorian