phoedos/pmd
1
1
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'pr-1046'

Browse Source
This commit is contained in:
Andreas Dangel
2018-05-21 13:12:24 +02:00
parent 1ee12a4792 430238113c
commit c95428d27a
9 changed files with 293 additions and 97 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
docs/pages/pmd/rules/java.md
View File

@@ -327,6 +327,7 @@ folder: pmd/rules
{% include callout.html content="Rules that flag potential security flaws." %}
* [HardCodedCryptoKey](pmd_rules_java_security.html#hardcodedcryptokey): Do not use hard coded values for cryptographic operations. Please store keys outside of source code.
* [InsecureCryptoIv](pmd_rules_java_security.html#insecurecryptoiv): Do not use hard coded initialization vector in cryptographic operations. Please use a randomly ge...
## Additional rulesets

31
docs/pages/pmd/rules/java/security.md
View File

@@ -5,9 +5,38 @@ permalink: pmd_rules_java_security.html
folder: pmd/rules/java
sidebaractiveurl: /pmd_rules_java.html
editmepath: ../pmd-java/src/main/resources/category/java/security.xml
keywords: Security, InsecureCryptoIv
keywords: Security, InsecureCryptoIv, HardCodedCryptoKey
language: Java
---
## HardCodedCryptoKey
**Since:** PMD 6.3.0
**Priority:** Medium (3)
Do not use hard coded values for cryptographic operations. Please store keys outside of source code.
**This rule is defined by the following Java class:** [net.sourceforge.pmd.lang.java.rule.security.HardCodedCryptoKeyRule](https://github.com/pmd/pmd/blob/master/pmd-java/src/main/java/net/sourceforge/pmd/lang/java/rule/security/HardCodedCryptoKeyRule.java)
**Example(s):**
``` java
public class Foo {
void good() {
SecretKeySpec secretKeySpec = new SecretKeySpec(Properties.getKey(), "AES");
}
void bad() {
SecretKeySpec secretKeySpec = new SecretKeySpec("my secret here".getBytes(), "AES");
}
}
```
**Use this rule by referencing it:**
``` xml
<rule ref="category/java/security.xml/HardCodedCryptoKey" />
```
## InsecureCryptoIv
**Since:** PMD 6.3.0

8
docs/pages/release_notes.md
View File

@@ -13,6 +13,7 @@ This is a bug fixing release.
### Table Of Contents
* [New and noteworthy](#new-and-noteworthy)
* [New Rules](#new-rules)
* [Modified Rules](#modified-rules)
* [Fixed Issues](#fixed-issues)
* [API Changes](#api-changes)
@@ -20,6 +21,11 @@ This is a bug fixing release.
### New and noteworthy
#### New Rules
* The new Java rule [`HardCodedCryptoKey`](pmd_rules_java_security.html#hardcodedcryptokey) (`java-security`)
detects hard coded keys used for encryption. It is recommended to store keys outside of the source code.
#### Modified Rules
* The Java rule [JUnit4TestShouldUseTestAnnotation](pmd_rules_java_bestpractices.html#junit4testshouldusetestannotation) (`java-bestpractices`)
@@ -60,8 +66,8 @@ This is a bug fixing release.
in the same package.
### External Contributions
* [#1046](https://github.com/pmd/pmd/pull/1046): \[java] New security rule for finding hard-coded keys used for cryptographic operations - [Sergey Gorbaty](https://github.com/sgorbaty)
* [#1101](https://github.com/pmd/pmd/pull/1101): \[java] Fixes false positive for `DoNotExtendJavaLangError` - [Akshat Bahety](https://github.com/akshatbahety)
* [#1106](https://github.com/pmd/pmd/pull/1106): \[vf] URLENCODE is ignored as valid escape method - [Robert Sösemann](https://github.com/rsoesemann)