use-of-blowfish

Author: Sakshis

rules/java/security/use-of-blowfish-java.yml

@@ -0,0 +1,50 @@
+id: use-of-blowfish-java
+severity: warning
+language: java
+message: >-
+  'Use of Blowfish was detected. Blowfish uses a 64-bit block size
+  that  makes it vulnerable to birthday attacks, and is therefore considered
+  non-compliant.  Instead, use a strong, secure cipher:
+  Cipher.getInstance("AES/CBC/PKCS7PADDING"). See
+  https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions
+  for more information.'
+note: >-
+  [CWE-327] Use of a Broken or Risky Cryptographic Algorithm.
+  [REFERENCES]
+      - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
+      - https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html
+
+ast-grep-essentials: true
+rule:
+  kind: method_invocation
+  all:
+    - has:
+        kind: identifier
+        field: name
+        regex: ^getInstance$
+        nthChild:
+          position: 2
+          reverse: true
+    - has:
+        kind: argument_list
+        field: arguments
+        nthChild:
+          position: 1
+          reverse: true
+        has:
+          nthChild:
+            position: 1
+            ofRule:
+              not:
+                kind: line_comment
+          kind: string_literal
+          has:
+            kind: string_fragment
+            regex: ^Blowfish$
+        not:
+          has:
+            nthChild:
+              position: 2
+              ofRule:
+                not:
+                  kind: line_comment

tests/__snapshots__/use-of-blowfish-java-snapshot.yml

@@ -0,0 +1,52 @@
+id: use-of-blowfish-java
+snapshots:
+  ? |-
+    public void useofBlowfish2() {
+    Cipher.getInstance("Blowfish");
+    }
+  : labels:
+    - source: Cipher.getInstance("Blowfish")
+      style: primary
+      start: 31
+      end: 61
+    - source: getInstance
+      style: secondary
+      start: 38
+      end: 49
+    - source: Blowfish
+      style: secondary
+      start: 51
+      end: 59
+    - source: '"Blowfish"'
+      style: secondary
+      start: 50
+      end: 60
+    - source: ("Blowfish")
+      style: secondary
+      start: 49
+      end: 61
+  ? |
+    public void useofBlowfish2() {
+    useCipher(Cipher.getInstance("Blowfish"));
+    }
+  : labels:
+    - source: Cipher.getInstance("Blowfish")
+      style: primary
+      start: 41
+      end: 71
+    - source: getInstance
+      style: secondary
+      start: 48
+      end: 59
+    - source: Blowfish
+      style: secondary
+      start: 61
+      end: 69
+    - source: '"Blowfish"'
+      style: secondary
+      start: 60
+      end: 70
+    - source: ("Blowfish")
+      style: secondary
+      start: 59
+      end: 71

tests/java/use-of-blowfish-java-test.yml

@@ -0,0 +1,13 @@
+id: use-of-blowfish-java
+valid:
+  - |
+    crypto.Cipher.getInstance("AES");
+invalid:
+  - |
+     public void useofBlowfish2() {
+     useCipher(Cipher.getInstance("Blowfish"));
+     }
+  - |
+     public void useofBlowfish2() {
+     Cipher.getInstance("Blowfish");
+     }