Generated code causes analysis findings #305
Comments
|
assigned @enriozuni |
|
I have tried the code generation in my machine and reproduced the error as shown in the image below:
However, the generated code is not insecure because the salt in our example does not need to be randomized as the whole operation in this method is about verifying the password hash, after the initial password hash is created and securely stored somewhere. After a short discussion with @AndreSonntag, a fix for the insecure findings would be to use the Predicate Ensurer fix as shown in the image below:
@kruegers a last question remains of whether to include the presented above fix in the code template itself or just leave like it is. |
|
Hey @enriozuni, |
|
I included the fix in the code template. I as well added a missing part in the CrySLBasedCodeGenerator about adding additional resources (e.g. JARs) during the generation process. However, I just noticed a possible bug when the PredicateEnsurer.jar is used. After the predicate ensurer is used for the first time, the error messages from the analysis are gone. But, when the analysis is started for a second time, the same error messages occur. I believe this should not be the case when the predicate fix is used. @kruegers @AnakinSklavenwalker what should I do with my implementation? Shall I open a PR? |
In the (current) version 1.0.0.201905151726 the generated code (Encode Password for Secure Storage) produces an Insecure Class Composition Problem "Second parameter was not properly generated as randomized" on the Line:
PBEKeySpec spec = new PBEKeySpec(pwd, salt, 65536, 224);In my opinion a generated code of the same plugin should not have any findings.
The text was updated successfully, but these errors were encountered: