Reputation: 797
SonarQube: Make sure that encrypting data is safe here. AES/GCM/NoPadding, RSA/ECB/PKCS1Padding
I'm using:
1. RSA/ECB/PKCS1Padding
2. AES/GCM/NoPadding
To encrypt my data in my Android (Java) application. At the documentation of SonarQube it states that:
The Advanced Encryption Standard (AES) encryption algorithm can be used with various modes. Galois/Counter Mode (GCM) with no padding should be preferred to the following combinations which are not secured:
- Electronic Codebook (ECB) mode: Under a given key, any given plaintext block always gets encrypted to the same ciphertext block. Thus, it does not hide data patterns well. In some senses, it doesn't provide serious message confidentiality, and it is not recommended for use in cryptographic protocols at all.
- Cipher Block Chaining (CBC) with PKCS#5 padding (or PKCS#7) is susceptible to padding oracle attacks.
So, as it is recommended, I use AES/GCM/NoPadding as :
Cipher c = Cipher.getInstance("AES/GCM/NoPadding");
But, it still gives me the warning Make sure that encrypting data is safe here.
The same for:
Cipher c = Cipher.getInstance("RSA/ECB/PKCS1Padding");
Why does SonarQube throws that warning? Aren't these uses safe any more?
Upvotes: 7
Views: 25944
Answers (2)
Reputation: 9303
AES in GCM mode is secured as a block cipher algorithm. But that doesn't guarantee that the code that encrypts data using AES (in GCM mode) is secured. Several things can go wrong leaving the code vulnerable to attacks. It is developers' responsibility to code it in the right way to get the desired level of security. Some examples where things can go wrong are:
- The IV repeats for a given key
- The key or the raw data are stored in
Stringdata type which keeps lingering in the heap - The secret key is stored in clear text in a property file that goes in the code repository
and so on.
Now, SonarQube cannot identify all these vulnerabilities and hence they've come up with a new concept called Hotspot which is described here as:
Unlike Vulnerabilities, Security Hotspots aren't necessarily issues that are open to attack. Instead, Security Hotspots highlight security-sensitive pieces of code that need to be manually reviewed. Upon review, you'll either find a Vulnerability that needs to be fixed or that there is no threat.
Hotspots have a separate life cycle which is explained in the link given above.
P.S. This answer explains how to encrypt a string in Java with AES in GCM mode in a secured way: https://stackoverflow.com/a/53015144/1235935
Upvotes: 10
Reputation: 113
Seems like it's a general warning about encrypting any data. There shouldn't be an issue with "AES/GCM/NoPadding", as shown in their test code.
Upvotes: 1
Related Questions
- SonarQube over https
- How to configure SonarCloud
- Solution for following sonar Issue?
- RSA/ECB/PKCS1 Padding & AES/CBC/PKCS5Padding Encryption / Decryption
- Sonar Error - Make this member "protected"
- SonarQube: No analysis has been performed since creation. The only available section is the configuration
- Sonar violation properly sanitized before use in this OS command
- How to secure SonarQube 5.4?
- Error - while encrypting the jdbc password in sonarqube 4.3.3
- How to secure SonarQube 5.2?