add gcm mode as part of detection for gcm parameter spec, make all iValue objects also iActionvalues (#235)

n1ckl0sk0rtge · web-flow · commit dd0ee0ea421c · 2025-02-25T14:49:51.000+01:00
Signed-off-by: Nicklas Körtge &lt;nicklas.koertge1@ibm.com&gt;
diff --git a/engine/src/main/java/com/ibm/engine/model/AbstractValue.java b/engine/src/main/java/com/ibm/engine/model/AbstractValue.java
@@ -19,7 +19,7 @@
  */
 package com.ibm.engine.model;
 
-public abstract class AbstractValue<T> implements IValue<T> {
+public abstract class AbstractValue<T> implements IAction<T> {
     public abstract boolean equals(Object other);
 
     public abstract int hashCode();
diff --git a/java/src/main/java/com/ibm/plugin/rules/detection/jca/algorithmspec/JcaGCMParameterSpec.java b/java/src/main/java/com/ibm/plugin/rules/detection/jca/algorithmspec/JcaGCMParameterSpec.java
@@ -19,13 +19,15 @@
  */
 package com.ibm.plugin.rules.detection.jca.algorithmspec;
 
+import com.ibm.engine.model.Mode;
 import com.ibm.engine.model.Size;
 import com.ibm.engine.model.context.AlgorithmParameterContext;
 import com.ibm.engine.model.factory.InitializationVectorSizeFactory;
 import com.ibm.engine.model.factory.TagSizeFactory;
 import com.ibm.engine.rule.IDetectionRule;
 import com.ibm.engine.rule.builder.DetectionRuleBuilder;
 import java.util.List;
+import java.util.Optional;
 import javax.annotation.Nonnull;
 import org.sonar.plugins.java.api.tree.Tree;
 
@@ -36,6 +38,7 @@ public final class JcaGCMParameterSpec {
                     .createDetectionRule()
                     .forObjectTypes("javax.crypto.spec.GCMParameterSpec")
                     .forConstructor()
+                    .shouldBeDetectedAs(tree -> Optional.of(new Mode<>("GCM", tree)))
                     .withMethodParameter("int")
                     .shouldBeDetectedAs(new TagSizeFactory<>(Size.UnitType.BIT))
                     .withMethodParameter("byte[]")
@@ -49,6 +52,7 @@ public final class JcaGCMParameterSpec {
                     .createDetectionRule()
                     .forObjectTypes("javax.crypto.spec.GCMParameterSpec")
                     .forConstructor()
+                    .shouldBeDetectedAs(tree -> Optional.of(new Mode<>("GCM", tree)))
                     .withMethodParameter("int")
                     .shouldBeDetectedAs(new TagSizeFactory<>(Size.UnitType.BIT))
                     .withMethodParameter("byte[]")
diff --git a/java/src/main/java/com/ibm/plugin/translation/translator/contexts/JavaAlgorithmParameterContextTranslator.java b/java/src/main/java/com/ibm/plugin/translation/translator/contexts/JavaAlgorithmParameterContextTranslator.java
@@ -24,9 +24,11 @@
 import com.ibm.engine.model.InitializationVectorSize;
 import com.ibm.engine.model.KeySize;
 import com.ibm.engine.model.MacSize;
+import com.ibm.engine.model.Mode;
 import com.ibm.engine.model.TagSize;
 import com.ibm.engine.model.context.IDetectionContext;
 import com.ibm.mapper.mapper.jca.JcaAlgorithmMapper;
+import com.ibm.mapper.mapper.jca.JcaModeMapper;
 import com.ibm.mapper.model.INode;
 import com.ibm.mapper.model.InitializationVectorLength;
 import com.ibm.mapper.model.KeyLength;
@@ -76,6 +78,9 @@ protected Optional<INode> translateBC(
                     new InitializationVectorLength(
                             initializationVectorSize.getValue(), detectionLocation);
             return Optional.of(initializationVectorLength);
+        } else if (value instanceof Mode<Tree> mode) {
+            final JcaModeMapper modeMapper = new JcaModeMapper();
+            return modeMapper.parse(mode.asString(), detectionLocation).map(a -> a);
         }
         return Optional.empty();
     }
diff --git a/java/src/test/files/rules/detection/jca/algorithmspec/JcaGCMParameterSpecTestFile.java b/java/src/test/files/rules/detection/jca/algorithmspec/JcaGCMParameterSpecTestFile.java
@@ -29,7 +29,7 @@ public void test() {
         String nonce = "nonce";
 
         GCMParameterSpec gcmSpec = new GCMParameterSpec(128, Base64.getDecoder().decode(nonce));
-        Cipher cipher = Cipher.getInstance("AES"); // Noncompliant {{(BlockCipher) AES128}}
+        Cipher cipher = Cipher.getInstance("AES"); // Noncompliant {{(AuthenticatedEncryption) AES128-GCM}}
         cipher.init(Cipher.DECRYPT_MODE, secret, gcmSpec);
     }
 }
diff --git a/java/src/test/java/com/ibm/plugin/rules/detection/jca/algorithmspec/JcaGCMParameterSpecTest.java b/java/src/test/java/com/ibm/plugin/rules/detection/jca/algorithmspec/JcaGCMParameterSpecTest.java
@@ -33,13 +33,15 @@
 import com.ibm.engine.model.context.AlgorithmParameterContext;
 import com.ibm.engine.model.context.CipherContext;
 import com.ibm.engine.model.context.SecretKeyContext;
+import com.ibm.mapper.model.AuthenticatedEncryption;
 import com.ibm.mapper.model.BlockCipher;
 import com.ibm.mapper.model.BlockSize;
 import com.ibm.mapper.model.DigestSize;
 import com.ibm.mapper.model.INode;
 import com.ibm.mapper.model.KeyLength;
 import com.ibm.mapper.model.Mac;
 import com.ibm.mapper.model.MessageDigest;
+import com.ibm.mapper.model.Mode;
 import com.ibm.mapper.model.Oid;
 import com.ibm.mapper.model.PasswordBasedKeyDerivationFunction;
 import com.ibm.mapper.model.PasswordLength;
@@ -290,91 +292,102 @@ public void asserts(
             assertThat(value0_1_1.asString()).isEqualTo("AES");
 
             DetectionStore<JavaCheck, Tree, Symbol, JavaFileScannerContext> store_1_2 =
-                    getStoreOfValueType(TagSize.class, store_1.getChildren());
-            assertThat(store_1_2.getDetectionValues()).hasSize(1);
+                    getStoreOfValueType(com.ibm.engine.model.Mode.class, store_1.getChildren());
+            assertThat(store_1_2.getDetectionValues()).hasSize(2);
             assertThat(store_1_2.getDetectionValueContext())
                     .isInstanceOf(AlgorithmParameterContext.class);
             IValue<Tree> value0_1_2 = store_1_2.getDetectionValues().get(0);
-            assertThat(value0_1_2).isInstanceOf(TagSize.class);
-            assertThat(value0_1_2.asString()).isEqualTo("128");
+            assertThat(value0_1_2).isInstanceOf(com.ibm.engine.model.Mode.class);
+            assertThat(value0_1_2.asString()).isEqualTo("GCM");
+
+            IValue<Tree> value1_1_2 = store_1_2.getDetectionValues().get(1);
+            assertThat(value1_1_2).isInstanceOf(TagSize.class);
+            assertThat(value1_1_2.asString()).isEqualTo("128");
 
             /*
              * Translation
              */
 
             assertThat(nodes).hasSize(1);
 
-            // BlockCipher
-            INode blockCipherNode1 = nodes.get(0);
-            assertThat(blockCipherNode1.getKind()).isEqualTo(BlockCipher.class);
-            assertThat(blockCipherNode1.getChildren()).hasSize(6);
-            assertThat(blockCipherNode1.asString()).isEqualTo("AES128");
+            // AuthenticatedEncryption
+            INode authenticatedEncryptionNode = nodes.get(0);
+            assertThat(authenticatedEncryptionNode.getKind())
+                    .isEqualTo(AuthenticatedEncryption.class);
+            assertThat(authenticatedEncryptionNode.getChildren()).hasSize(7);
+            assertThat(authenticatedEncryptionNode.asString()).isEqualTo("AES128-GCM");
+
+            // KeyLength under AuthenticatedEncryption
+            INode keyLengthNode = authenticatedEncryptionNode.getChildren().get(KeyLength.class);
+            assertThat(keyLengthNode).isNotNull();
+            assertThat(keyLengthNode.getChildren()).isEmpty();
+            assertThat(keyLengthNode.asString()).isEqualTo("128");
 
-            // TagLength under BlockCipher
-            INode tagLengthNode = blockCipherNode1.getChildren().get(TagLength.class);
+            // TagLength under AuthenticatedEncryption
+            INode tagLengthNode = authenticatedEncryptionNode.getChildren().get(TagLength.class);
             assertThat(tagLengthNode).isNotNull();
             assertThat(tagLengthNode.getChildren()).isEmpty();
             assertThat(tagLengthNode.asString()).isEqualTo("128");
 
-            // Oid under BlockCipher
-            INode oidNode2 = blockCipherNode1.getChildren().get(Oid.class);
-            assertThat(oidNode2).isNotNull();
-            assertThat(oidNode2.getChildren()).isEmpty();
-            assertThat(oidNode2.asString()).isEqualTo("2.16.840.1.101.3.4.1");
+            // Oid under AuthenticatedEncryption
+            INode oidNode = authenticatedEncryptionNode.getChildren().get(Oid.class);
+            assertThat(oidNode).isNotNull();
+            assertThat(oidNode.getChildren()).isEmpty();
+            assertThat(oidNode.asString()).isEqualTo("2.16.840.1.101.3.4.1");
 
-            // Decrypt under BlockCipher
-            INode decryptNode = blockCipherNode1.getChildren().get(Decrypt.class);
+            // Decrypt under AuthenticatedEncryption
+            INode decryptNode = authenticatedEncryptionNode.getChildren().get(Decrypt.class);
             assertThat(decryptNode).isNotNull();
             assertThat(decryptNode.getChildren()).isEmpty();
             assertThat(decryptNode.asString()).isEqualTo("DECRYPT");
 
-            // SecretKey under BlockCipher
-            INode secretKeyNode2 = blockCipherNode1.getChildren().get(SecretKey.class);
-            assertThat(secretKeyNode2).isNotNull();
-            assertThat(secretKeyNode2.getChildren()).hasSize(1);
-            assertThat(secretKeyNode2.asString()).isEqualTo("AES");
-
-            // BlockCipher under SecretKey under BlockCipher
-            INode blockCipherNode2 = secretKeyNode2.getChildren().get(BlockCipher.class);
-            assertThat(blockCipherNode2).isNotNull();
-            assertThat(blockCipherNode2.getChildren()).hasSize(4);
-            assertThat(blockCipherNode2.asString()).isEqualTo("AES128");
-
-            // Oid under BlockCipher under SecretKey under BlockCipher
-            INode oidNode3 = blockCipherNode2.getChildren().get(Oid.class);
-            assertThat(oidNode3).isNotNull();
-            assertThat(oidNode3.getChildren()).isEmpty();
-            assertThat(oidNode3.asString()).isEqualTo("2.16.840.1.101.3.4.1");
-
-            // KeyGeneration under BlockCipher under SecretKey under BlockCipher
-            INode keyGenerationNode2 = blockCipherNode2.getChildren().get(KeyGeneration.class);
-            assertThat(keyGenerationNode2).isNotNull();
-            assertThat(keyGenerationNode2.getChildren()).isEmpty();
-            assertThat(keyGenerationNode2.asString()).isEqualTo("KEYGENERATION");
-
-            // KeyLength under BlockCipher under SecretKey under BlockCipher
-            INode keyLengthNode2 = blockCipherNode2.getChildren().get(KeyLength.class);
-            assertThat(keyLengthNode2).isNotNull();
-            assertThat(keyLengthNode2.getChildren()).isEmpty();
-            assertThat(keyLengthNode2.asString()).isEqualTo("128");
-
-            // BlockSize under BlockCipher under SecretKey under BlockCipher
-            INode blockSizeNode2 = blockCipherNode2.getChildren().get(BlockSize.class);
-            assertThat(blockSizeNode2).isNotNull();
-            assertThat(blockSizeNode2.getChildren()).isEmpty();
-            assertThat(blockSizeNode2.asString()).isEqualTo("128");
-
-            // KeyLength under BlockCipher
-            INode keyLengthNode3 = blockCipherNode1.getChildren().get(KeyLength.class);
-            assertThat(keyLengthNode3).isNotNull();
-            assertThat(keyLengthNode3.getChildren()).isEmpty();
-            assertThat(keyLengthNode3.asString()).isEqualTo("128");
-
-            // BlockSize under BlockCipher
-            INode blockSizeNode3 = blockCipherNode1.getChildren().get(BlockSize.class);
-            assertThat(blockSizeNode3).isNotNull();
-            assertThat(blockSizeNode3.getChildren()).isEmpty();
-            assertThat(blockSizeNode3.asString()).isEqualTo("128");
+            // Mode under AuthenticatedEncryption
+            INode modeNode = authenticatedEncryptionNode.getChildren().get(Mode.class);
+            assertThat(modeNode).isNotNull();
+            assertThat(modeNode.getChildren()).isEmpty();
+            assertThat(modeNode.asString()).isEqualTo("GCM");
+
+            // SecretKey under AuthenticatedEncryption
+            INode secretKeyNode = authenticatedEncryptionNode.getChildren().get(SecretKey.class);
+            assertThat(secretKeyNode).isNotNull();
+            assertThat(secretKeyNode.getChildren()).hasSize(1);
+            assertThat(secretKeyNode.asString()).isEqualTo("AES");
+
+            // BlockCipher under SecretKey under AuthenticatedEncryption
+            INode blockCipherNode = secretKeyNode.getChildren().get(BlockCipher.class);
+            assertThat(blockCipherNode).isNotNull();
+            assertThat(blockCipherNode.getChildren()).hasSize(4);
+            assertThat(blockCipherNode.asString()).isEqualTo("AES128");
+
+            // KeyLength under BlockCipher under SecretKey under AuthenticatedEncryption
+            INode keyLengthNode1 = blockCipherNode.getChildren().get(KeyLength.class);
+            assertThat(keyLengthNode1).isNotNull();
+            assertThat(keyLengthNode1.getChildren()).isEmpty();
+            assertThat(keyLengthNode1.asString()).isEqualTo("128");
+
+            // Oid under BlockCipher under SecretKey under AuthenticatedEncryption
+            INode oidNode1 = blockCipherNode.getChildren().get(Oid.class);
+            assertThat(oidNode1).isNotNull();
+            assertThat(oidNode1.getChildren()).isEmpty();
+            assertThat(oidNode1.asString()).isEqualTo("2.16.840.1.101.3.4.1");
+
+            // KeyGeneration under BlockCipher under SecretKey under AuthenticatedEncryption
+            INode keyGenerationNode = blockCipherNode.getChildren().get(KeyGeneration.class);
+            assertThat(keyGenerationNode).isNotNull();
+            assertThat(keyGenerationNode.getChildren()).isEmpty();
+            assertThat(keyGenerationNode.asString()).isEqualTo("KEYGENERATION");
+
+            // BlockSize under BlockCipher under SecretKey under AuthenticatedEncryption
+            INode blockSizeNode = blockCipherNode.getChildren().get(BlockSize.class);
+            assertThat(blockSizeNode).isNotNull();
+            assertThat(blockSizeNode.getChildren()).isEmpty();
+            assertThat(blockSizeNode.asString()).isEqualTo("128");
+
+            // BlockSize under AuthenticatedEncryption
+            INode blockSizeNode1 = authenticatedEncryptionNode.getChildren().get(BlockSize.class);
+            assertThat(blockSizeNode1).isNotNull();
+            assertThat(blockSizeNode1.getChildren()).isEmpty();
+            assertThat(blockSizeNode1.asString()).isEqualTo("128");
         }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,7 @@ public void test() {`
`29`	`29`	`String nonce = "nonce";`
`30`	`30`
`31`	`31`	`GCMParameterSpec gcmSpec = new GCMParameterSpec(128, Base64.getDecoder().decode(nonce));`
`32`		`- Cipher cipher = Cipher.getInstance("AES"); // Noncompliant {{(BlockCipher) AES128}}`
	`32`	`+ Cipher cipher = Cipher.getInstance("AES"); // Noncompliant {{(AuthenticatedEncryption) AES128-GCM}}`
`33`	`33`	`cipher.init(Cipher.DECRYPT_MODE, secret, gcmSpec);`
`34`	`34`	`}`
`35`	`35`	`}`