sonar-cryptography
sonar-cryptography copied to clipboard
cbomkit
This repository contains a SonarQube Plugin that detects cryptographic assets in source code and generates CBOM.
Bumps [org.apache.maven.plugins:maven-checkstyle-plugin](https://github.com/apache/maven-checkstyle-plugin) from 3.4.0 to 3.5.0. Commits 868abc9 [maven-release-plugin] prepare release maven-checkstyle-plugin-3.5.0 9043f8a [MCHECKSTYLE-446] Dynamically calculate xrefLocation/xrefTestLocation 0e7bd00 [MCHECKSTYLE-445] Upgrade to Doxia 2.0.0 Milestone Stack b92666d Bump org.apache.maven.plugins:maven-plugins from 42...
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot] avatar"){kind=avatar}
Let's look at the example below, where our rule `NEW_CIPHER` (actual rule from Python's `CryptographyCipher.java` file) has two parameters that need to be detected: ```python private static final IDetectionRule NEW_CIPHER...
The two guides [Extending the Sonar Cryptography Plugin to add support for another language or cryptography library](https://github.com/IBM/sonar-cryptography/blob/main/docs/LANGUAGE_SUPPORT.md) and [Writing new detection rules for the Sonar Cryptography Plugin](https://github.com/IBM/sonar-cryptography/blob/main/docs/DETECTION_RULE_STRUCTURE.md) may not be...
Extend logging capabilities for the scanner: - log total amount of detected cryptographic assest after the scan - ...
The test for [ResolveMethodCallTestFile.java](https://github.com/IBM/sonar-cryptography/blob/main/java/src/test/files/rules/resolve/ResolveMethodCallTestFile.java) should report all detected curves. Currently only the last curve is reported but three times.
Currently the NIST security level and the classic security levels are not reported by the plugin. ### Useful sources - https://eprint.iacr.org/2020/1322.pdf
If cryptographic values are interdependent, the “internal” cryptographic references should be used to define these relationships. ### Example: if a `key` dependence on an `algorithm` use the `cryptoRef` field in...
- [ ] Go over the remaining disabled BouncyCastle tests and fix the issues - [ ] All BouncyCastle classes are given [here](https://downloads.bouncycastle.org/java/docs/bcprov-jdk18on-javadoc/overview-tree.html): look into all the classes that are...
The language support for Python was written before some general changes were introduced. It should therefore be updated to take advantage of these changes, to have a more coherent and...
JCA uses a provider-based architecture, where one can specify a cryptography provider (like BouncyCastle) which will provide the implementations of JCA APIs. - [ ] Investigate if we can often...