sonar-cryptography icon indicating copy to clipboard operation
sonar-cryptography copied to clipboard
Published 1 month ago verified publisher icon cbomkit

Incorrect key size found

Open K1li4nL opened this issue 6 months ago • 1 comments

Hello, I have been conducting experiments with your plugin and would like to share some of my results. Thank you for the great work!

Context:

sonar-cryptography plugin version: 1.4.5

Issue found:

In the following piece of code, sonar-cryptography correctly detect AES usage but is confused by the key size, here it should be 256 instead of 128:

{

      "type" : "cryptographic-asset",
      "bom-ref" : "d64b6dbb-2005-4c66-9d8f-67b2f0d27cdb",
      "name" : "AES128",
      "evidence" : {
        "occurrences" : [
          {
            "location" : "src/main/java/cn/hyperchain/sdk/crypto/CipherUtil.java",
            "line" : 102,
            "offset" : 18,
            "additionalContext" : "javax.crypto.spec.SecretKeySpec#<init>([BLjava/lang/String;)V"
          },
          {
            "location" : "src/main/java/cn/hyperchain/sdk/crypto/CipherUtil.java",
            "line" : 121,
            "offset" : 18,
            "additionalContext" : "javax.crypto.spec.SecretKeySpec#<init>([BLjava/lang/String;)V"
          }
        ]
      },
      "cryptoProperties" : {
        "assetType" : "algorithm",
        "algorithmProperties" : {
          "primitive" : "block-cipher",
          "parameterSetIdentifier" : "128",
          "cryptoFunctions" : [
            "keygen"
          ]
        },
        "oid" : "2.16.840.1.101.3.4.1"
      }
    }

K1li4nL avatar Jun 10 '25 11:06 K1li4nL