Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Generated code causes analysis findings #305

Open
AnakinRaW opened this issue Jul 26, 2019 · 4 comments
Open

Generated code causes analysis findings #305

AnakinRaW opened this issue Jul 26, 2019 · 4 comments

Comments

@AnakinRaW
Copy link
Contributor

In the (current) version 1.0.0.201905151726 the generated code (Encode Password for Secure Storage) produces an Insecure Class Composition Problem "Second parameter was not properly generated as randomized" on the Line:
PBEKeySpec spec = new PBEKeySpec(pwd, salt, 65536, 224);

In my opinion a generated code of the same plugin should not have any findings.

@kruegers
Copy link
Member

assigned @enriozuni

This was referenced May 3, 2020
@enriozuni
Copy link
Contributor

I have tried the code generation in my machine and reproduced the error as shown in the image below:

pass_storage_error_marker

However, the generated code is not insecure because the salt in our example does not need to be randomized as the whole operation in this method is about verifying the password hash, after the initial password hash is created and securely stored somewhere.

After a short discussion with @AndreSonntag, a fix for the insecure findings would be to use the Predicate Ensurer fix as shown in the image below:

pass_storage_error_marker_fix

@kruegers a last question remains of whether to include the presented above fix in the code template itself or just leave like it is.

@kruegers
Copy link
Member

kruegers commented May 25, 2020

Hey @enriozuni,
Yes, please apply the fix as you describe.
Thanks.

@enriozuni
Copy link
Contributor

I included the fix in the code template. I as well added a missing part in the CrySLBasedCodeGenerator about adding additional resources (e.g. JARs) during the generation process. However, I just noticed a possible bug when the PredicateEnsurer.jar is used. After the predicate ensurer is used for the first time, the error messages from the analysis are gone. But, when the analysis is started for a second time, the same error messages occur. I believe this should not be the case when the predicate fix is used.

@kruegers @AnakinSklavenwalker what should I do with my implementation? Shall I open a PR?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants