FP on S3329 (Cipher IV unpredictable) on DECRYPT_MODE if IV variable declaration is split from definition

• Sonarqube 9.3, sonarscanner 4.6.2.2472
• executed a sample unit test on sonar-java:7.7.0.28547 and master(e68299fa)

If variable declaration is split from definition, then there is a false positive on S3329 even though Cipher uses DECRYPT_MODE. It’s related to [SONARJAVA-4122] S3329 should not raise an issue for Cipher.DECRYPT_MODE - SonarSource.
I tried to add following two test cases to CipherBlockChainingCheck.java test class. They both fail. First one is very simple just to illustrate problem. Second one illustrates a more real life scenario that I have, where IV is initialized based on a condition.

static void decryptImpl11(byte[] biv, SecretKeySpec ks) throws Exception {
  AlgorithmParameter spec;
  spec = new IvParameterSpec(biv); // Compliant
  Cipher
    .getInstance(OPERATION_MODE, "BC")
    .init(Cipher.DECRYPT_MODE, ks, spec);
}

static void decryptImpl12(byte[] biv, SecretKeySpec ks) throws Exception {
  AlgorithmParameter spec;
  if(true){
    spec = new IvParameterSpec(biv); // Compliant
  }else{
    // some other type of initialization
  }
  Cipher
    .getInstance(OPERATION_MODE, "BC")
    .init(Cipher.DECRYPT_MODE, ks, spec);
}

Hey @heaven!

Thanks for your patience and for the very precise reproducer!

Indeed while fixing SONARJAVA-4122, we (well, I…) completely forgot the trivial case of assigning the IV to a variable defined elsewhere… and focused on variable initializers.

This is a valid FP which we should have never let go through.
Here is the ticket to fix it: [SONARJAVA-4193] FP on S3329 in case of simple assigments of the IV - SonarSource

I’m sorry for the inconvenience, the fix is coming, and thanks a lot for the report! It helps!

Cheers,
Michael

Hey,
I just installed 9.4 and I can state that the problem is resolved.
Thanks a lot.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.