codyze icon indicating copy to clipboard operation
codyze copied to clipboard

Published 20 hours ago verified publisher icon Fraunhofer-AISEC

when try to scan a directory, it seems that only one file is scanned, is it a bug?

Open HTQianqian opened this issue 4 years ago • 3 comments

codyze vision: 1.4.1

scanning folder: [install dir]\bin\codyze.bat -c -s [folder] -m [install dir]\mark

scanning file: [install dir]\bin\codyze.bat -c -s [folder\RSAPadding.java] -m [install dir]\mark

In the folder, there are many java files. but I only get the result findbug.json with file RSAPadding.java.it seems that only one file is scanned when try to scan a directory.

HTQianqian avatar Oct 31 '20 15:10 HTQianqian

Hi HTQianqian,

sorry to hear that you're having problems. I'll take a look at a sample project of mine.

fwendland avatar Nov 02 '20 09:11 fwendland

Hi @HTQianqian,

I've tested Codyze 1.4.1 on my Windows machine with the botan_rule_tr_test in the src/test/resources folder. It worked fine. I've got a findings.json with multiple findings across multiple files.

Maybe your project contains findings only in RSAPadding.java? Is your project code by any chance open source so I can try it?

fwendland avatar Nov 02 '20 10:11 fwendland

@fwendland, Thanks for you feedback ,here is my test code and command

The command: codyze-1.4.1\bin\codyze.bat -c --source InadequateRSAPadding

The structure of my folder: InadequateRSAPadding --CWE780_WeakEncryption_InadequateRSAPadding_31 ----CWE780_WeakEncryption_InadequateRSAPadding_31a.java ----CWE780_WeakEncryption_InadequateRSAPadding_31b.java --CWE780_WeakEncryption_InadequateRSAPadding_01.java

------------------------------------CWE780_WeakEncryption_InadequateRSAPadding_01.java: -------------------------------------

package WeakEncryption.InadequateRSAPadding;

import javax.crypto.Cipher;

public class CWE780_WeakEncryption_InadequateRSAPadding_01 {
    public void bad() throws Exception {
        /* POTENTIAL FLAW: Not OAEP */
        Cipher.getInstance("RSA");
    }

    public void good() throws Exception {
        Cipher.getInstance("RSA/ECB/OAEPWithSHA-512AndMGF1Padding");
    }
}

--------------------------------------CWE780_WeakEncryption_InadequateRSAPadding_31a.java-------------------------------------

package WeakEncryption.InadequateRSAPadding;

import javax.crypto.Cipher;

public class CWE780_WeakEncryption_InadequateRSAPadding_31a {
    public Cipher getInstanceBad(String transformation) throws Exception {
        /* POTENTIAL FLAW: NOT OAEP */
        return Cipher.getInstance(transformation);
    }

    public Cipher getInstanceGood(String transformation) throws Exception {
        return Cipher.getInstance(transformation);
    }
}

-------------------------------------CWE780_WeakEncryption_InadequateRSAPadding_31b.java-------------------------------------

package WeakEncryption.InadequateRSAPadding;

public class CWE780_WeakEncryption_InadequateRSAPadding_31b {
    public void bad() throws Exception {
        CWE780_WeakEncryption_InadequateRSAPadding_31a inadequateRSAPadding_31a =
                new CWE780_WeakEncryption_InadequateRSAPadding_31a();

        inadequateRSAPadding_31a.getInstanceBad("RSA");
    }

    public void good() throws Exception {
        CWE780_WeakEncryption_InadequateRSAPadding_31a inadequateRSAPadding_31a =
                new CWE780_WeakEncryption_InadequateRSAPadding_31a();

        inadequateRSAPadding_31a.getInstanceGood("RSA/ECB/OAEPWithSHA-512AndMGF1Padding");
    }
}

HTQianqian avatar Nov 04 '20 16:11 HTQianqian