False Negative: Weak Algorithm Spec with String replace to be used with Cipher not reported

scttmars · March 22, 2023, 8:57pm

We ran SonarQube with Java to scan the following code snippet:

package com.minimals.Cipher.stringReplace;
import java.security.NoSuchAlgorithmException;

import javax.crypto.Cipher;
import javax.crypto.NoSuchPaddingException;

public class CipherExample  {
    public static void main(String[] args) 
    throws NoSuchAlgorithmException, NoSuchPaddingException {
        Cipher c = Cipher.getInstance("DE$S".replace("$", ""));

        System.out.println(c.getAlgorithm());
    }
}

We scanned the source Java file using the docker. The command we used is:

sonar-scanner \
  -Dsonar.projectKey={PROJECT NAME} \
  -Dsonar.sources=. \
  -Dsonar.host.url=http://localhost:9000 \
  -Dsonar.login={PROJECT KEY}

However, while it is possible to statically compute the value to be passed to Cipher.getInstance(), SonarQube does not report it.

Of course, SonarQube reports the issue when DES is used directly, such as:

Cipher c = Cipher.getInstance("DES");

in a similar source file.

Which is why I think it is a false negative.

Additional Details

Language: Java
Rule: java:S5547, java:S5542
Product Details:
SonarQube Community Edition Version - 9.6.1
Sonar Scanner Version - 4.7
Java Version - Java 11.0.14.1 Eclipse Adoptium (64-bit)
Operating System - MacOS Monterey version 12.6
SonarQube Community Edition Version - 9.6.1
Sonar Scanner Version - 4.7
Java Version - Java 11.0.14.1 Eclipse Adoptium (64-bit)
Operating System - MacOS Monterey version 12.6

ganncamp · March 24, 2023, 5:23pm

Hi,

Thanks for this report!

SonarQube 9.6 is officially EOL. Can you upgrade to the Latest / current LTS: 9.9, and see if this is still replicable?

I know I’ve replied the same thing to ~~two~~ three of your posts in a row, but we really do make strides with each release so we need to be sure this is still a problem in the current version first.

Thx,
Ann

scttmars · March 24, 2023, 9:12pm

Hi Ann,

I know I just replied something similar in another post. I can confirm that this issue also still persists on SonarQube 9.9 and is replicable. Let me know if there is any other information you or the team may need.

Thanks,
Scott

Dorian_Burihabwa · April 7, 2023, 2:52pm

Thanks for the report @scttmars.

Because this looks very similar to this community post, I have taken the liberty to amend the ticket to cover calls to replace.

Cheers,

Dorian

Topic		Replies	Views
False Negative: Weak Algorithm Spec with Different Case to be used with Cipher is not reported Report False-positive / False-negative... java , sonarqube , scanner	3	372	April 3, 2023
False Negative: Weak Algorithm Spec from Object changed Inter-procedurally is not reported Report False-positive / False-negative... java , sonarqube , scanner	3	467	April 7, 2023
False Negative: Weak Algorithm Spec from Object to be used with Cipher is not reported Report False-positive / False-negative... java , sonarqube , security-hotspot	4	1115	May 3, 2023
False positive or false negative? I don't care which but consistency would be real nice as a minimum SonarQube Server / Community Build java , sonarqube , security	3	1101	August 31, 2020
False Negative: Weak Hashing Spec from Object to be used with MessageDigest is not reported Report False-positive / False-negative... java , sonarqube , security-hotspot	3	906	April 3, 2023

False Negative: Weak Algorithm Spec with String replace to be used with Cipher not reported

Related topics