S1313 false-positive with ASN.1 OID


(Simon Kissane) #1

Consider the following Java code:

import org.bouncycastle.asn1.ASN1ObjectIdentifier;
public static final ASN1ObjectIdentifier BasicConstraints = new ASN1ObjectIdentifier("");

This reports S1313 (IP addresses should not be hardcoded), but this isn’t an IP address, it is an ASN.1 OID that looks like an IP address.

One way to improve the rule, would be if the statement contains certain keywords such as ASN1ObjectIdentifier then don’t trigger the rule.

Also, for ASN.1 object identifiers, the first number is always in the range 0-2, whereas that number range is rarely used for IPv4 addresses (although as Cloudflare’s recent introduction of as a public DNS service demonstrates, IPs with 0-2 in the first octet are not unheard of.) Also, the second number must be in the range 0-39 if the first number is 0 or 1 (that rule doesn’t apply if the first number is 2.)

Using org.sonarsource.scanner.gradle:sonarqube-gradle-plugin:2.6.2 in the build and on the server-side using Version 7.1 (build 11001), SonarJava 5.2 (build 13398)

If you are writing Java code to manage certificates (e.g. a Certificate Authority server), you are likely to hit this false positive, since ASN.1 OIDs are commonly used with certificates. (There are some other contexts in which they also occur, such as LDAP and SNMP, although in those cases the OIDs are generally longer and hence probably won’t be confused with an IPv4 address).

(To get the ASN1ObjectIdentifier class, you want to add ‘org.bouncycastle:bcprov-jdk15on:1.59’ to your Gradle build, or whatever the equivalent in Maven or whatever else is.)

(Andrei Epure) #3

Thank you, Simon. We’ll have an internal talk about what we could do to improve the rule and let you know of our decision once we take it.


(Andrei Epure) #4

Hi, Simon. We’ve opened SONARJAVA-2798 to avoid FPs in such a situation.