-
Class: c.b.a.b.b
-
Method: b
-
Line: -1
-
Issue details: RequiredPredicateError-2
- RequiredPredicateError violating CrySL rule for javax.crypto.spec.IvParameterSpec.
-
First parameter was not properly generated as randomized.
Rodrigo Bonifácio rbonifacio
rbonifacio
/ MD05.java
Last active
October 9, 2022 13:39
Another message digest example involving fields. Again, CogniCrypt does not generate a warning for this example.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package br.unb.cic; | |
| import java.security.MessageDigest; | |
| public class MD05 { | |
| private String algorithm; | |
| public MD05() { | |
| this.algorithm = "MD5"; | |
| } |
rbonifacio
/ MD04.java
Last active
October 9, 2022 13:34
This example uses a helper class for using a message digest. For this example, CogniCrypt does not raise any warning, even when we call the `withMD5()` method. Differently, CryptoGuard raises a warning, even we do not call the `withMD5()` method.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import java.security.MessageDigest; | |
| class MDHelper { | |
| String algorithm; | |
| static MDHelper instance; | |
| static MDHelper getInstance() { | |
| if(instance == null) { | |
| instance = new MDHelper(); |
rbonifacio
/ CipherTest02.java
Created
July 20, 2022 21:04
This code still raises a cognicrypt warning.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package br.unb.cic; | |
| import javax.crypto.Cipher; | |
| import javax.crypto.KeyGenerator; | |
| import javax.crypto.SecretKey; | |
| import javax.crypto.spec.GCMParameterSpec; | |
| import java.security.SecureRandom; | |
| public class CipherTest02 { |
rbonifacio
/ MD01.java
Last active
July 13, 2022 13:27
Example of code from the OwaspBenchmark that is leading CogniCrypt to report many false positives.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package br.unb.cic; | |
| import java.security.MessageDigest; | |
| public class MD01 { | |
| private static final String INPUT = "This is my banking password"; | |
| public static void main(String args[]) { | |
| try { |
rbonifacio
/ CipherTest03.java
Created
July 5, 2022 13:57
Code based on a CryptoAnalys test case. CogniCrypt still raises a warning.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| public static void main(String args[]) throws Exception { | |
| KeyGenerator keyGenerator0 = KeyGenerator.getInstance("AES"); | |
| SecretKey secretKey = keyGenerator0.generateKey(); | |
| int num = 2024; | |
| SecureRandom secureRandom0 = SecureRandom.getInstance("SHA1PRNG"); | |
| byte[] genSeed = secureRandom0.generateSeed(num); | |
| GCMParameterSpec gCMParameterSpec0 = new GCMParameterSpec(96, genSeed); |
rbonifacio
/ CipherTest01.java
Last active
July 5, 2022 13:40
This code still raises a cognicrypt warning.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| public static void main(String args[]) throws Exception { | |
| SecureRandom random = new SecureRandom(); | |
| byte[] iv = random.generateSeed(16); | |
| SecretKey key = KeyGenerator.getInstance("AES").generateKey(); | |
| GCMParameterSpec paramSpec = new GCMParameterSpec(16 * 8, iv); | |
| Cipher c = Cipher.getInstance("AES/GCM/NoPadding"); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @Test | |
| public void testFindClassName() { | |
| String location = "br.unb.cic.mop.bench02.brokenhash.BrokenHashABICase8.go(BrokenHashABICase8.java:25)"; | |
| Pattern pattern = Pattern.compile("([\\w+\\.]+)[.]([a-zA-Z]+)\\(.+\\)"); | |
| Matcher matcher = pattern.matcher(location); | |
| Assert.assertTrue(matcher.matches()); | |
| Assert.assertEquals("br.unb.cic.mop.bench02.brokenhash.BrokenHashABICase8", matcher.group(1)); | |
| } |
rbonifacio
/ cc05.md
Created
December 19, 2021 17:36
rbonifacio
/ cc04.md
Created
December 19, 2021 15:08
rbonifacio
/ cc03.md
Last active
December 19, 2021 12:47
-
Class: org.bouncycastle.x509.AttributeCertificateHolder
-
Method: match
-
Line: -1
-
Issue details: TypestateError
- TypestateError violating CrySL rule for java.security.MessageDigest.
-
Unexpected call to method on object of type java.security.MessageDigest. Expect a call to one of the following methods java.security.MessageDigest: void update(byte[],int,int),java.security.MessageDigest: void update(java.nio.ByteBuffer),java.security.MessageDigest: byte[] digest(byte[]),java.security.MessageDigest: void update(byte[]),java.security.MessageDigest: void update(byte).
NewerOlder