Affects PMD Version:6.42.0
Rule:InsecureCryptoIv
Link:
https://pmd.github.io/pmd-6.42.0/pmd_rules_java_security.html#insecurecryptoiv
Description:
Hi, I found a false negative when tried to use PMD to enhance code security. The minimal case is below. Our tool should report a warning at line 6, because secret key is originated from a constant string. This FN may lead to privacy information leakage.
Code Sample demonstrating the issue:
public void func(SecretKeySpec key) {
try {
byte[] ivBytes, ivs;
ivs = "hardcoded initial vector".getBytes();
final IvParameterSpec iv = new IvParameterSpec(ivs); // should report a warning about this line
final Cipher cipher = Cipher.getInstance("AES/CBC/NoPadding");
// .......
} catch (Exception e) {
e.printStackTrace();
}
}However, the following case can be detected:
public void func(SecretKeySpec key) {
try {
byte[] ivBytes, ivs = "hardcoded initial vector".getBytes(); // can be detected
final IvParameterSpec iv = new IvParameterSpec(ivs);
final Cipher cipher = Cipher.getInstance("AES/CBC/NoPadding");
// .......
} catch (Exception e) {
e.printStackTrace();
}
}Expected outcome: A warning
PMD should report a violation at line 4, but doesn't. This is a false-negative.
Running PMD through: [Maven]
Affects PMD Version:6.42.0
Rule:InsecureCryptoIv
Link:
https://pmd.github.io/pmd-6.42.0/pmd_rules_java_security.html#insecurecryptoiv
Description:
Hi, I found a false negative when tried to use PMD to enhance code security. The minimal case is below. Our tool should report a warning at line 6, because secret key is originated from a constant string. This FN may lead to privacy information leakage.
Code Sample demonstrating the issue:
However, the following case can be detected:
Expected outcome: A warning
PMD should report a violation at line 4, but doesn't. This is a false-negative.
Running PMD through: [Maven]