From 260f1da4402418e74e531edcc0db5de490364166 Mon Sep 17 00:00:00 2001 From: "Travis CI (pmd-bot)" Date: Mon, 23 Apr 2018 19:20:29 +0000 Subject: [PATCH] Update documentation --- docs/_data/sidebars/pmd_sidebar.yml | 3 ++ docs/pages/pmd/rules/java.md | 6 ++++ docs/pages/pmd/rules/java/security.md | 46 +++++++++++++++++++++++++++ 3 files changed, 55 insertions(+) create mode 100644 docs/pages/pmd/rules/java/security.md diff --git a/docs/_data/sidebars/pmd_sidebar.yml b/docs/_data/sidebars/pmd_sidebar.yml index 1c722c3d9e..d8444b7bae 100644 --- a/docs/_data/sidebars/pmd_sidebar.yml +++ b/docs/_data/sidebars/pmd_sidebar.yml @@ -172,6 +172,9 @@ entries: - title: Performance output: web, pdf url: /pmd_rules_java_performance.html + - title: Security + output: web, pdf + url: /pmd_rules_java_security.html - title: null output: web, pdf subfolders: diff --git a/docs/pages/pmd/rules/java.md b/docs/pages/pmd/rules/java.md index 52035fb158..8e8eba921c 100644 --- a/docs/pages/pmd/rules/java.md +++ b/docs/pages/pmd/rules/java.md @@ -323,6 +323,12 @@ folder: pmd/rules * [UseStringBufferForStringAppends](pmd_rules_java_performance.html#usestringbufferforstringappends): The use of the '+=' operator for appending strings causes the JVM to create and use an internal S... * [UseStringBufferLength](pmd_rules_java_performance.html#usestringbufferlength): Use StringBuffer.length() to determine StringBuffer length rather than using StringBuffer.toStrin... +## Security + +{% include callout.html content="Rules that flag potential security flaws." %} + +* [InsecureCryptoIv](pmd_rules_java_security.html#insecurecryptoiv): Do not use hard coded initialization vector in cryptographic operations. Please use a randomly ge... + ## Additional rulesets * Android (`rulesets/java/android.xml`): diff --git a/docs/pages/pmd/rules/java/security.md b/docs/pages/pmd/rules/java/security.md new file mode 100644 index 0000000000..17b9caa150 --- /dev/null +++ b/docs/pages/pmd/rules/java/security.md @@ -0,0 +1,46 @@ +--- +title: Security +summary: Rules that flag potential security flaws. +permalink: pmd_rules_java_security.html +folder: pmd/rules/java +sidebaractiveurl: /pmd_rules_java.html +editmepath: ../pmd-java/src/main/resources/category/java/security.xml +keywords: Security, InsecureCryptoIv +language: Java +--- +## InsecureCryptoIv + +**Since:** PMD 6.3.0 + +**Priority:** Medium (3) + +Do not use hard coded initialization vector in cryptographic operations. Please use a randomly generated IV. + +**This rule is defined by the following Java class:** [net.sourceforge.pmd.lang.java.rule.security.InsecureCryptoIvRule](https://github.com/pmd/pmd/blob/master/pmd-java/src/main/java/net/sourceforge/pmd/lang/java/rule/security/InsecureCryptoIvRule.java) + +**Example(s):** + +``` java +public class Foo { + void good() { + SecureRandom random = new SecureRandom(); + byte iv[] = new byte[16]; + random.nextBytes(bytes); + } + + void bad() { + byte[] iv = new byte[] { 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, }; + } + + void alsoBad() { + byte[] iv = "secret iv in here".getBytes(); + } + +} +``` + +**Use this rule by referencing it:** +``` xml + +``` +