• Home
• org.codehaus.sonar-plugins.java
• java-checks
• 3.2
• source code
• S2277.html

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.sonar.l10n.java.rules.squid.S2277.html Maven / Gradle / Ivy

Without OAEP in RSA encryption, it takes less work for an attacker to decrypt the data or infer patterns from the ciphertext. This rule logs an issue as soon as a literal value starts with RSA/NONE. 
Noncompliant Code Example

Cipher rsa = javax.crypto.Cipher.getInstance("RSA/NONE/NoPadding");

Compliant Solution

Cipher rsa = javax.crypto.Cipher.getInstance("RSA/ECB/OAEPWithSHA-1AndMGF1Padding");

See


 MITRE CWE-780 - Use of RSA Algorithm without OAEP
 MITRE CWE-327: Use of a Broken or Risky Cryptographic Algorithm
 OWASP Top Ten 2013 Category A6 - Sensitive Data Exposure
 Derived from FindSecBugs rule RSA NoPadding Unsafe