sonar-cryptography
sonar-cryptography copied to clipboard
Published
1 month ago
•
cbomkit
cbomkit
Duplicate findings?
Hello, I have been conducting experiments with your plugin and would like to share some of my results. Thank you for the great work!
Context:
sonar-cryptography plugin version: 1.4.5
Issue found:
Although sonar-cryptography does identify correctly AES usage, these findings look like duplicates: I suppose this is part of the policy facilitating design choices where AES is reported separately because it is a subcomponent of AES-CTR. But given that the same OID is used, does this choice really make sense ?
Finding 1:
{
"type" : "cryptographic-asset",
"bom-ref" : "fb749483-ba6a-44d4-af57-e04b1087e820",
"name" : "AES",
"evidence" : {
"occurrences" : [
{
"location" : "src/main/java/cn/hyperchain/sdk/crypto/ecdsa/ECKey.java",
"line" : 947,
"offset" : 31,
"additionalContext" : "org.bouncycastle.crypto.engines.AESFastEngine#<init>()V"
}
]
},
"cryptoProperties" : {
"assetType" : "algorithm",
"algorithmProperties" : {
"primitive" : "block-cipher",
"parameterSetIdentifier" : "128"
},
"oid" : "2.16.840.1.101.3.4.1"
}
}
Finding 2:
{
"type" : "cryptographic-asset",
"bom-ref" : "a2be8a25-61b3-4d64-b14c-3557e964eb23",
"name" : "AES-CTR",
"evidence" : {
"occurrences" : [
{
"location" : "src/main/java/cn/hyperchain/sdk/crypto/ecdsa/ECKey.java",
"line" : 947,
"offset" : 31,
"additionalContext" : "org.bouncycastle.crypto.engines.AESFastEngine#<init>()V"
}
]
},
"cryptoProperties" : {
"assetType" : "algorithm",
"algorithmProperties" : {
"primitive" : "block-cipher",
"parameterSetIdentifier" : "128",
"mode" : "ctr",
"cryptoFunctions" : [
"decrypt"
]
},
"oid" : "2.16.840.1.101.3.4.1"
}
}
Hi @K1li4nL - Thanks a lot for your interest in sonar-cryptography. We will look into the issues you created.
