ecb-cipher-java

Author: ESS-ENN

rules/java/security/ecb-cipher-java.yml

@@ -0,0 +1,17 @@
+id: ecb-cipher-java
+severity: warning
+language: java
+message: >-
+  Cipher in ECB mode is detected. ECB mode produces the same output for
+  the same input each time which allows an attacker to intercept and replay
+  the data. Further, ECB mode does not provide any integrity checking. See
+  https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY.
+note: >-
+  [CWE-327] Use of a Broken or Risky Cryptographic Algorithm.
+  [REFERENCES]
+      - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
+rule:
+  pattern: Cipher $VAR = $CIPHER.getInstance($MODE);
+constraints:
+  MODE:
+    regex: .*ECB.*

tests/__snapshots__/ecb-cipher-java-snapshot.yml

@@ -0,0 +1,9 @@
+id: ecb-cipher-java
+snapshots:
+  ? |
+    Cipher c = Cipher.getInstance("AES/ECB/NoPadding");
+  : labels:
+    - source: Cipher c = Cipher.getInstance("AES/ECB/NoPadding");
+      style: primary
+      start: 0
+      end: 51

tests/java/ecb-cipher-java-test.yml

@@ -0,0 +1,7 @@
+id: ecb-cipher-java
+valid:
+  - |
+    Cipher c = Cipher.getInstance("AES/GCM/NoPadding");
+invalid:
+  - |
+    Cipher c = Cipher.getInstance("AES/ECB/NoPadding");