sonar-cryptography icon indicating copy to clipboard operation
sonar-cryptography copied to clipboard
Published 1 month ago verified publisher icon cbomkit

Incorrect cryptoFunctions field

Open K1li4nL opened this issue 6 months ago • 1 comments

Hello, I have been conducting experiments with your plugin and would like to share some of my results. Thank you for the great work!

Context:

sonar-cryptography plugin version: 1.4.5

Issue found:

In the following piece, the algorithm is correctly identified but arguably, the "cryptoFunctions" field should be "keyderive".

{
      "type" : "cryptographic-asset",
      "bom-ref" : "bab84bfa-76ea-4453-b4e7-dc0dd1d0fd62",
      "name" : "PBKDF2-HMAC-SHA1",
      "evidence" : {
        "occurrences" : [
          {
            "location" : "powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/generator/KeyGenerator.java",
            "line" : 268,
            "offset" : 35,
            "additionalContext" : "javax.crypto.SecretKeyFactory#getInstance(Ljava/lang/String;Ljava/lang/String;)Ljavax/crypto/SecretKeyFactory;"
          }
        ]
      },
      "cryptoProperties" : {
        "assetType" : "algorithm",
        "algorithmProperties" : {
          "primitive" : "kdf",
          "parameterSetIdentifier" : "128",
          "cryptoFunctions" : [
            "keygen"
          ]
        }
      }
    }

K1li4nL avatar Jun 10 '25 11:06 K1li4nL

Hi @K1li4nL - Thanks a lot for your interest in sonar-cryptography. We will look into the issues you created.

san-zrl avatar Jun 17 '25 11:06 san-zrl