gitlab.find_sec_bugs.HARD_CODE_KEY-1

unknown

Download Count*

License

Cryptographic keys should not be kept in the source code. The source code can be widely shared in an enterprise environment, and is certainly shared in open source. To be managed safely, passwords and secret keys should be stored in separate configuration files or keystores.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: find_sec_bugs.HARD_CODE_KEY-1
    pattern-either:
      - patterns:
          - pattern-not-inside: |
              $FUNC(...,byte[] $KEY_BYTES, ...) {
                  ...
              }
          - pattern-either:
              - pattern: new DESKeySpec((byte[] $KEY_BYTES));
              - pattern: new DESedeKeySpec((byte[] $KEY_BYTES));
              - pattern: new KerberosKey(..., (byte[] $KEY_BYTES), ..., ...);
              - pattern: new SecretKeySpec((byte[] $KEY_BYTES), ...);
              - pattern: new X509EncodedKeySpec((byte[] $KEY_BYTES));
              - pattern: new PKCS8EncodedKeySpec((byte[] $KEY_BYTES));
              - pattern: new KeyRep(...,(byte[] $KEY_BYTES));
              - pattern: new KerberosTicket(...,(byte[] $KEY_BYTES),...);
          - metavariable-pattern:
              metavariable: $KEY_BYTES
              patterns:
                - pattern-not-regex: (null)
      - patterns:
          - pattern-not-inside: |
              $FUNC(..., BigInteger $PRIVATE_KEY, ...) {
                  ...
              }
          - pattern-either:
              - pattern: new DSAPrivateKeySpec((BigInteger $PRIVATE_KEY), ...);
              - pattern: new DSAPublicKeySpec((BigInteger $PRIVATE_KEY), ...);
              - pattern: new DHPrivateKeySpec((BigInteger $PRIVATE_KEY), ...);
              - pattern: new DHPublicKeySpec((BigInteger $PRIVATE_KEY), ...);
              - pattern: new ECPrivateKeySpec((BigInteger $PRIVATE_KEY), ...);
              - pattern: new RSAPrivateKeySpec((BigInteger $PRIVATE_KEY), ...);
              - pattern: new RSAMultiPrimePrivateCrtKeySpec((BigInteger $PRIVATE_KEY), ...);
              - pattern: new RSAPrivateCrtKeySpec((BigInteger $PRIVATE_KEY), ...);
              - pattern: new RSAPublicKeySpec((BigInteger $PRIVATE_KEY), ...);
          - metavariable-pattern:
              metavariable: $PRIVATE_KEY
              patterns:
                - pattern-not-regex: (null)
    message: >
      Cryptographic keys should not be kept in the source code. The source code
      can be widely shared

      in an enterprise environment, and is certainly shared in open source. To be managed safely,

      passwords and secret keys should be stored in separate configuration files or keystores.
    languages:
      - java
    severity: ERROR
    metadata:
      category: security
      cwe: "CWE-321: Use of Hard-coded Cryptographic Key"
      technology:
        - java
      license: MIT

Short Link: https://sg.run/Y4yX