java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated

Verifed by r2c
Community Favorite
profile photo of semgrepsemgrep
Author
98,708
Download Count*
LGPL Commons Clause
License

DES is considered deprecated. AES is the recommended cipher. Upgrade to use AES. See https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard for more information.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: des-is-deprecated
    message: DES is considered deprecated. AES is the recommended cipher. Upgrade to
      use AES. See
      https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard
      for more information.
    metadata:
      functional-categories:
        - crypto::search::symmetric-algorithm::javax.crypto
      cwe:
        - "CWE-326: Inadequate Encryption Strength"
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      source-rule-url: https://find-sec-bugs.github.io/bugs.htm#DES_USAGE
      asvs:
        section: V6 Stored Cryptography Verification Requirements
        control_id: 6.2.5 Insecure Algorithm
        control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms
        version: "4"
      references:
        - https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard
        - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms
      category: security
      technology:
        - java
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: HIGH
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cryptographic Issues
    severity: WARNING
    patterns:
      - pattern-either:
          - pattern-inside: $CIPHER.getInstance("=~/DES/.*/")
          - pattern-inside: $CIPHER.getInstance("DES")
      - pattern-either:
          - pattern: |
              "=~/DES/.*/"
          - pattern: |
              "DES"
    fix: |
      "AES/GCM/NoPadding"
    languages:
      - java
      - kt

Examples

des-is-deprecated.java

package servlets;

import java.io.File;
import java.io.IOException;
import java.io.PrintWriter;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

public class Cls extends HttpServlet
{
    private static org.apache.log4j.Logger log = Logger.getLogger(Register.class);

    // cf. https://find-sec-bugs.github.io/bugs.htm#TDES_USAGE
    protected void danger(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        // ruleid: des-is-deprecated
        Cipher c = Cipher.getInstance("DES/ECB/PKCS5Padding");
        c.init(Cipher.ENCRYPT_MODE, k, iv);
        byte[] cipherText = c.doFinal(plainText);
    }

    protected void danger2(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        // ruleid: des-is-deprecated
        Cipher c = Cipher.getInstance("DES");
        c.init(Cipher.ENCRYPT_MODE, k, iv);
        byte[] cipherText = c.doFinal(plainText);
    }

    protected void ok(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        // ok: des-is-deprecated
        Cipher c = Cipher.getInstance("AES/GCM/NoPadding");
        c.init(Cipher.ENCRYPT_MODE, k, iv);
        byte[] cipherText = c.doFinal(plainText);
    }
}