kotlin.lang.security.no-null-cipher.no-null-cipher
semgrep
Author
unknown
Download Count*
License
NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance("AES/CBC/PKCS7PADDING"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.
Run Locally
Run in CI
Defintion
rules:
- id: no-null-cipher
pattern: NullCipher(...)
metadata:
cwe:
- "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
source-rule-url: https://find-sec-bugs.github.io/bugs.htm#NULL_CIPHER
asvs:
section: V6 Stored Cryptography Verification Requirements
control_id: 6.2.5 Insecure Algorithm
control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms
version: "4"
category: security
technology:
- kotlin
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
references:
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
subcategory:
- vuln
likelihood: LOW
impact: MEDIUM
confidence: MEDIUM
vulnerability_class:
- Cryptographic Issues
message: 'NullCipher was detected. This will not encrypt anything; the cipher
text will be the same as the plain text. Use a valid, secure cipher:
Cipher.getInstance("AES/CBC/PKCS7PADDING"). See
https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions
for more information.'
severity: WARNING
languages:
- kt
- scala
Examples
no-null-cipher.kt
import java.lang.Runtime
class Cls {
public fun test1(plainText: String): Array<Byte> {
// ruleid: no-null-cipher
val doNothingCipher: Cipher = NullCipher()
//The ciphertext produced will be identical to the plaintext.
val cipherText: Cipher = doNothingCihper.doFinal(plainText)
return cipherText
}
public fun test2(plainText: String): Void {
// ok: no-null-cipher
val cipher: Cipher = Cipher.getInstance("AES/CBC/PKCS5Padding")
val cipherText: Array<Byte> = cipher.doFinal(plainText)
return cipherText
}
}
Short Link: https://sg.run/0ywb