From 3354c7d1eb60f3bd1aefe29bcdefdc7d13f4e1e0 Mon Sep 17 00:00:00 2001 From: Dominique RIGHETTO Date: Thu, 30 Oct 2025 08:05:11 +0100 Subject: [PATCH 1/2] Add files via upload --- .../audit/crypto/use-of-sha1prng.java | 20 ++++++++++++ .../audit/crypto/use-of-sha1prng.yaml | 31 +++++++++++++++++++ 2 files changed, 51 insertions(+) create mode 100644 java/lang/security/audit/crypto/use-of-sha1prng.java create mode 100644 java/lang/security/audit/crypto/use-of-sha1prng.yaml diff --git a/java/lang/security/audit/crypto/use-of-sha1prng.java b/java/lang/security/audit/crypto/use-of-sha1prng.java new file mode 100644 index 0000000000..4096e99f00 --- /dev/null +++ b/java/lang/security/audit/crypto/use-of-sha1prng.java @@ -0,0 +1,20 @@ +package com.test; + +import java.security.SecureRandom + +public class Cases { + + public void case1(String param, long x) { + //ruleid: use-of-sha1prng + SecureRandom sr0 = SecureRandom.getInstance("SHA1PRNG") + } + + public void case2(String param, long x) { + //ok: use-of-sha1prng + SecureRandom sr1 = SecureRandom.getInstance("NativePRNG"); + //ok: use-of-sha1prng + SecureRandom sr2 = new SecureRandom(); + //ok: use-of-sha1prng + SecureRandom sr3 = SecureRandom.getInstanceStrong(); + } +} \ No newline at end of file diff --git a/java/lang/security/audit/crypto/use-of-sha1prng.yaml b/java/lang/security/audit/crypto/use-of-sha1prng.yaml new file mode 100644 index 0000000000..da797a8055 --- /dev/null +++ b/java/lang/security/audit/crypto/use-of-sha1prng.yaml @@ -0,0 +1,31 @@ +rules: + - id: use-of-sha1prng + languages: + - java + severity: WARNING + message: Detected usage of SHA1PRNG, a pseudo random number generator algorithm which is considered insecure. + pattern: SecureRandom.getInstance("SHA1PRNG") + fix: Use 'SecureRandom.getInstanceStrong()' to obtain a secure random instance using a pseudo random number generator algorithm suited for security related processing. + paths: + include: + - "**/*.java" + metadata: + category: security + owasp: + - A02:2021 Cryptographic Failures + technology: + - java + references: + - https://precli.readthedocs.io/0.5.9/rules/java/stdlib/java-security-weak-random/ + - https://thesecurityvault.com/weak-random/ + - https://android-developers.googleblog.com/2016/06/security-crypto-provider-deprecated-in.html + - https://docs.oracle.com/en/java/javase/21/docs/specs/security/standard-names.html#securerandom-number-generation-algorithms + - https://github.com/OWASP/mastg/issues/1685 + - https://metebalci.com/blog/everything-about-javas-securerandom/ + cwe: + - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm" + likelihood: LOW + impact: LOW + confidence: LOW + subcategory: + - audit \ No newline at end of file From f5973df5de6d1e6a2d69537560aec856a3ea8609 Mon Sep 17 00:00:00 2001 From: Dominique RIGHETTO Date: Thu, 30 Oct 2025 08:25:37 +0100 Subject: [PATCH 2/2] Fix reco --- java/lang/security/audit/crypto/use-of-sha1prng.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/java/lang/security/audit/crypto/use-of-sha1prng.yaml b/java/lang/security/audit/crypto/use-of-sha1prng.yaml index da797a8055..6cc232a1c5 100644 --- a/java/lang/security/audit/crypto/use-of-sha1prng.yaml +++ b/java/lang/security/audit/crypto/use-of-sha1prng.yaml @@ -5,7 +5,7 @@ rules: severity: WARNING message: Detected usage of SHA1PRNG, a pseudo random number generator algorithm which is considered insecure. pattern: SecureRandom.getInstance("SHA1PRNG") - fix: Use 'SecureRandom.getInstanceStrong()' to obtain a secure random instance using a pseudo random number generator algorithm suited for security related processing. + fix: On Java 8- use 'SecureRandom.getInstanceStrong()' and on Java 9+ use 'new SecureRandom()' to obtain a secure random instance using a pseudo random number generator algorithm suited for security related processing. paths: include: - "**/*.java" @@ -28,4 +28,4 @@ rules: impact: LOW confidence: LOW subcategory: - - audit \ No newline at end of file + - audit