False positive for Unsafe comparison of hash that are susceptible to timing attack

Thierry_Morel · June 17, 2020, 4:35pm

Reference CWE-203: Information Exposure Through DiscrepancyKey
(https://cwe.mitre.org/data/definitions/203.html)

SonarQube Scanner For Maven Version : 3.7.0.1746

Sonar consider some strings are hash and report an unsafe comparison of hash that are susceptible to timing attack whereas it is some randomly generated strings (uuid) (exemple of code generating the issue.)

//if no share match shareId return exception
if (foundFile.getShares().stream().noneMatch(a -> a.getShareId().equals(shareId))) {
		throw new ShareUnknownException(String.format("Unknown share identifier: %s", shareId));
}

I can’t explain why the shareId string is considered as a hash.
Any idea ?
Regards

Quentin · June 18, 2020, 1:54pm

Hello @Thierry_Morel,

I’m confused, I not sure what rule you are talking about. You are talking about java right?

Can you provide the name of the rule, eventually the key or the message displayed?

Thanks

Thierry_Morel · June 18, 2020, 3:38pm

Hello Quentin,
thanks for replying. Yes, I’m talking about Java.
the name of the rule seems to be findsecbugs:UNSAFE_HASH_EQUALS
here is a screenshot

Quentin · June 18, 2020, 3:54pm

Thanks for the follow-up.

I understand better why I didn’t recognize the rule, in fact, it is coming from the findsecbugs plugin.
Since we are not the maintainers of this plugin, I can not help you further. I would suggest reporting this issue directly to them.

Thierry_Morel · June 19, 2020, 9:55am

Thanks Quentin I’ll do that

system · June 26, 2020, 9:55am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.