Hello Java developers,
The Java analyzer was updated to detect more cryptography-related issues. Here are the rules that help in that field.
- S5542: Encryption algorithms should be used with secure mode and padding scheme (Blocker)
- S4426: Cryptographic keys should be robust (Blocker)
- S5547: Cipher algorithms should be robust (Critical)
- S4830: Server certificates should be verified during SSL⁄TLS connections (Critical)
- S5527: Server hostnames should be verified during SSL⁄TLS connections (Critical)
- S4423: Weak SSL and TLS protocols should not be used (Major)
Security Hotspot Detection:
- S3330: Creating cookies without the “HttpOnly” flag is security-sensitive
- S2092: Creating cookies without the “secure” flag is security-sensitive
A special effort has been done to fine-tune the rule S2068, which detects hard-coded credentials. The idea is to not raise issues on pieces of code that are obviously not at risk, so you can spend your time reviewing truly security-sensitive pieces of code. For example, S2068 will no longer raise issues on:
- empty Strings:
String password = ""
- Strings that look like key declarations:
private static final String PASSWORD_INPUT = "[id='password']";
- database connection strings:
String query = "password=?"
For more information, you can check the changelog.
These features are already available on SonarCloud, and will be included in SonarQube 8.2.