[False Positive] In the correct scenario, a defect is also reported.

[HTQianqian]

TestCode: 1 package WeakEncryption.InadequateRSAPadding; 2 3 import javax.crypto.Cipher; 4 5 public class CWE780_WeakEncryption_InadequateRSAPadding_01 { 6 public void bad() throws Exception { 7 /* POTENTIAL FLAW: Not OAEP */ 8 Cipher.getInstance("RSA"); 9 } 10 11 public void good() throws Exception { 12 Cipher.getInstance("RSA/ECB/OAEPWithSHA-512AndMGF1Padding"); 13 } 14 }

---

findings.json: [{ "problem": false, "locations": [{ "region": { "endLine": 7, "endColumn": 32, "startColumn": 27, "startLine": 7 }, "artifactLocation": {"uri": "file:/xxx/InadequateRSAPadding/CWE780_WeakEncryption_InadequateRSAPadding_01.java"} }], "logMsg": "Rule ID_2_01 verified", "onfailIdentifier": "Invalid_TR21021_Cipher" },{ "problem": false, "locations": [{ "region": { "endLine": 11, "endColumn": 66, "startColumn": 27, "startLine": 11 }, "artifactLocation": {"uri": "file:/xxx/InadequateRSAPadding/CWE780_WeakEncryption_InadequateRSAPadding_01.java"} }], "logMsg": "Rule ID_2_01 verified", "onfailIdentifier": "Invalid_TR21021_Cipher" },{ "problem": true, "locations": [], "logMsg": "Rule BouncyCastleProvider_Cipher violated", "onfailIdentifier": "InvalidProvider_Cipher" },{ "problem": true, "locations": [{ "region": { "endLine": 11, "endColumn": 66, "startColumn": 27, "startLine": 11 }, "artifactLocation": {"uri": "file:/xxx/InadequateRSAPadding/CWE780_WeakEncryption_InadequateRSAPadding_01.java"} }], "logMsg": "Rule ID_3_5_01 violated", "onfailIdentifier": "InvalidRSAPadding" },{ "problem": true, "locations": [], "logMsg": "Rule ID_3_5_01 violated", "onfailIdentifier": "InvalidRSAPadding" }]

---

Cipher.getInstance("RSA/ECB/OAEPWithSHA-512AndMGF1Padding");

I think it is a correct scenario, but a defect [InvalidRSAPadding] is also reported [Line Number 11]. The mark rule files shows that the algorithm name is case sensitive. Can it be case-insensitive?