- Sonarqube 9.3, sonarscanner 4.6.2.2472
- executed a sample unit test on sonar-java:7.7.0.28547 and master(e68299fa)
If variable declaration is split from definition, then there is a false positive on S3329 even though Cipher uses DECRYPT_MODE. It’s related to [SONARJAVA-4122] S3329 should not raise an issue for Cipher.DECRYPT_MODE - SonarSource.
I tried to add following two test cases to CipherBlockChainingCheck.java test class. They both fail. First one is very simple just to illustrate problem. Second one illustrates a more real life scenario that I have, where IV is initialized based on a condition.
static void decryptImpl11(byte[] biv, SecretKeySpec ks) throws Exception {
AlgorithmParameter spec;
spec = new IvParameterSpec(biv); // Compliant
Cipher
.getInstance(OPERATION_MODE, "BC")
.init(Cipher.DECRYPT_MODE, ks, spec);
}
static void decryptImpl12(byte[] biv, SecretKeySpec ks) throws Exception {
AlgorithmParameter spec;
if(true){
spec = new IvParameterSpec(biv); // Compliant
}else{
// some other type of initialization
}
Cipher
.getInstance(OPERATION_MODE, "BC")
.init(Cipher.DECRYPT_MODE, ks, spec);
}