diff --git a/data/abixen-platform/misuses/1/misuse.yml b/data/abixen-platform/misuses/1/misuse.yml new file mode 100644 index 000000000..1e54f93d3 --- /dev/null +++ b/data/abixen-platform/misuses/1/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.spec.IvParameterSpec +violations: +- insecure/condition/randomization +description: > + First parameter while initializing the IvParameterSpec object was not properly randomized. +location: + file: com/abixen/platform/service/businessintelligence/multivisualisation/domain/model/util/AES128Encoder.java + method: "decryptPassword(String)" + line: 66 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/abixen-platform/misuses/2/misuse.yml b/data/abixen-platform/misuses/2/misuse.yml new file mode 100644 index 000000000..4a0d566b1 --- /dev/null +++ b/data/abixen-platform/misuses/2/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/key +description: > + Second parameter while initializing the Cipher object was not properly generatedKey. +location: + file: com/abixen/platform/service/businessintelligence/multivisualisation/domain/model/util/AES128Encoder.java + method: "decryptPassword(String)" + line: 66 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/abixen-platform/misuses/3/misuse.yml b/data/abixen-platform/misuses/3/misuse.yml new file mode 100644 index 000000000..59f83d312 --- /dev/null +++ b/data/abixen-platform/misuses/3/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/transformation +description: > + First parameter in Cipher.getInstance(String) is with value "AES/CBC/PKCS5PADDING" which should be any of AES/CBC/{Empty String, PKCS7Padding, PKCS5Padding, ISO10126Padding}. +location: + file: com/abixen/platform/service/businessintelligence/multivisualisation/domain/model/util/AES128Encoder.java + method: "decryptPassword(String)" + line: 65 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/abixen-platform/misuses/4/misuse.yml b/data/abixen-platform/misuses/4/misuse.yml new file mode 100644 index 000000000..8829e3184 --- /dev/null +++ b/data/abixen-platform/misuses/4/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/IV +description: > + Third parameter while initializing the Cipher object was not properly preparedIV. +location: + file: com/abixen/platform/service/businessintelligence/multivisualisation/domain/model/util/AES128Encoder.java + method: "decryptPassword(String)" + line: 66 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/abixen-platform/misuses/5/misuse.yml b/data/abixen-platform/misuses/5/misuse.yml new file mode 100644 index 000000000..51c672cb4 --- /dev/null +++ b/data/abixen-platform/misuses/5/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/transformation +description: > + First parameter in Cipher.getInstance(String) is with value "AES/CBC/PKCS5PADDING" which should be any of AES/CBC/{Empty String, PKCS7Padding, PKCS5Padding, ISO10126Padding}. +location: + file: com/abixen/platform/service/businessintelligence/multivisualisation/domain/model/util/AES128Encoder.java + method: "encryptPassword(String)" + line: 54 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/abixen-platform/misuses/6/misuse.yml b/data/abixen-platform/misuses/6/misuse.yml new file mode 100644 index 000000000..4c9c765fd --- /dev/null +++ b/data/abixen-platform/misuses/6/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.spec.IvParameterSpec +violations: +- insecure/condition/randomization +description: > + First parameter while initializing the IvParameterSpec object was not properly randomized. +location: + file: com/abixen/platform/service/businessintelligence/multivisualisation/domain/model/util/AES128Encoder.java + method: "encryptPassword(String)" + line: 55 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/abixen-platform/misuses/7/misuse.yml b/data/abixen-platform/misuses/7/misuse.yml new file mode 100644 index 000000000..1436e3253 --- /dev/null +++ b/data/abixen-platform/misuses/7/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/key +description: > + Second parameter while initializing the Cipher object was not properly generatedKey. +location: + file: com/abixen/platform/service/businessintelligence/multivisualisation/domain/model/util/AES128Encoder.java + method: "encryptPassword(String)" + line: 55 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/abixen-platform/misuses/8/misuse.yml b/data/abixen-platform/misuses/8/misuse.yml new file mode 100644 index 000000000..07f619637 --- /dev/null +++ b/data/abixen-platform/misuses/8/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/IV +description: > + Third parameter while initializing the Cipher object was not properly preparedIV. +location: + file: com/abixen/platform/service/businessintelligence/multivisualisation/domain/model/util/AES128Encoder.java + method: "encryptPassword(String)" + line: 55 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/abixen-platform/misuses/9/misuse.yml b/data/abixen-platform/misuses/9/misuse.yml new file mode 100644 index 000000000..08ca7cc75 --- /dev/null +++ b/data/abixen-platform/misuses/9/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.spec.SecretKeySpec +violations: +- insecure/condition/randomization +description: > + First parameter while initializing the SecretKeySpec object was not properly randomized. +location: + file: com/abixen/platform/service/businessintelligence/multivisualisation/domain/model/util/AES128Encoder.java + method: "generateKey(String)" + line: 39 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/abixen-platform/project.yml b/data/abixen-platform/project.yml new file mode 100644 index 000000000..ada9312c9 --- /dev/null +++ b/data/abixen-platform/project.yml @@ -0,0 +1,5 @@ +name: abixen-platform +repository: + type: git + url: https://github.com/abixen/abixen-platform +url: https://github.com/abixen/abixen-platform \ No newline at end of file diff --git a/data/abixen-platform/versions/99fe499/version.yml b/data/abixen-platform/versions/99fe499/version.yml new file mode 100644 index 000000000..50037bcba --- /dev/null +++ b/data/abixen-platform/versions/99fe499/version.yml @@ -0,0 +1,16 @@ +build: + classes: abixen-platform-business-intelligence-service/$mvn.default.classes + commands: + - mvn -pl :abixen-platform-web-content-service -am clean install + src: abixen-platform-business-intelligence-service/src/ +misuses: +- '1' +- '2' +- '3' +- '4' +- '5' +- '6' +- '7' +- '8' +- '9' +revision: 99fe4994a70be92078545add013bb3bcdc089360 diff --git a/data/aliyun-oss-java-sdk/misuses/1/misuse.yml b/data/aliyun-oss-java-sdk/misuses/1/misuse.yml new file mode 100644 index 000000000..7f35473c1 --- /dev/null +++ b/data/aliyun-oss-java-sdk/misuses/1/misuse.yml @@ -0,0 +1,16 @@ +api: +- java.security.MessageDigest +violations: +- insecure/condition/transformation +description: > + First parameter in MessageDigest.getInstance(String) is with value "MD5" which should be any of {SHA-256, SHA-384, SHA-512}. +location: + file: com/aliyun/oss/common/utils/BinaryUtil.java + method: "calculateMd5(byte[])" + line: 43 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/aliyun-oss-java-sdk/misuses/2/misuse.yml b/data/aliyun-oss-java-sdk/misuses/2/misuse.yml new file mode 100644 index 000000000..a8ff90539 --- /dev/null +++ b/data/aliyun-oss-java-sdk/misuses/2/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.spec.SecretKeySpec +violations: +- insecure/condition/randomization +description: > + First parameter while initializing SecretKeySpec object was not properly randomized. +location: + file: com/aliyun/oss/common/utils/BinaryUtil.java + method: "sign(byte[], byte[])" + line: 87 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/aliyun-oss-java-sdk/project.yml b/data/aliyun-oss-java-sdk/project.yml new file mode 100644 index 000000000..936d8d26e --- /dev/null +++ b/data/aliyun-oss-java-sdk/project.yml @@ -0,0 +1,5 @@ +name: aliyun-oss-java-sdk +repository: + type: git + url: https://github.com/aliyun/aliyun-oss-java-sdk +url: https://github.com/aliyun/aliyun-oss-java-sdk \ No newline at end of file diff --git a/data/aliyun-oss-java-sdk/versions/196cf71/version.yml b/data/aliyun-oss-java-sdk/versions/196cf71/version.yml new file mode 100644 index 000000000..92cb4f21b --- /dev/null +++ b/data/aliyun-oss-java-sdk/versions/196cf71/version.yml @@ -0,0 +1,9 @@ +build: + classes: $mvn.default.classes + commands: + - mvn clean compile + src: /src/main/java/ +misuses: +- '1' +- '2' +revision: 196cf711417df73a72e0dc2f84a8f3a03c8371c2 diff --git a/data/and-res-guard/misuses/1/misuse.yml b/data/and-res-guard/misuses/1/misuse.yml new file mode 100644 index 000000000..bc09610a5 --- /dev/null +++ b/data/and-res-guard/misuses/1/misuse.yml @@ -0,0 +1,16 @@ +api: +- java.security.MessageDigest +violations: +- insecure/condition/transformation +description: > + First parameter (with value "SHA-1") should be any of {SHA-256, SHA-384, SHA-512} +location: + file: main/java/apksigner/ApkSignerTool.java + method: "verify(String[])" + line: 419 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/and-res-guard/misuses/2/misuse.yml b/data/and-res-guard/misuses/2/misuse.yml new file mode 100644 index 000000000..ebab550ca --- /dev/null +++ b/data/and-res-guard/misuses/2/misuse.yml @@ -0,0 +1,16 @@ +api: +- java.security.MessageDigest +violations: +- insecure/condition/transformation +description: > + First parameter (with value "SHA-1") should be any of {SHA-256, SHA-384, SHA-512} +location: + file: main/java/apksigner/ApkSignerTool.java + method: "verify(String[])" + line: 420 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/and-res-guard/project.yml b/data/and-res-guard/project.yml new file mode 100644 index 000000000..663576728 --- /dev/null +++ b/data/and-res-guard/project.yml @@ -0,0 +1,5 @@ +name: and-res-guard +repository: + type: git + url: https://github.com/shwenzhang/AndResGuard +url: https://github.com/shwenzhang/AndResGuard \ No newline at end of file diff --git a/data/and-res-guard/versions/f2c72f0/version.yml b/data/and-res-guard/versions/f2c72f0/version.yml new file mode 100644 index 000000000..f277b17c0 --- /dev/null +++ b/data/and-res-guard/versions/f2c72f0/version.yml @@ -0,0 +1,9 @@ +build: + classes: AndResGuard/AndResGuard-core/$gradle.default.classes + commands: + - gradle build + src: AndResGuard/AndResGuard-core/src +misuses: +- '1' +- '2' +revision: f03c69ad2860b5131c5489ca503843172a8f91e4 diff --git a/data/app-engine/misuses/1/misuse.yml b/data/app-engine/misuses/1/misuse.yml new file mode 100644 index 000000000..504880b72 --- /dev/null +++ b/data/app-engine/misuses/1/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/transformation +description: > + First parameter (with value "AES") should be any of AES/{CBC, GCM, PCBC, CTR, CTS, CFB, OFB} +location: + file: com/appengine/common/encrypt/AESEncrypter.java + method: "encrypt(String)" + line: 62 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/app-engine/misuses/2/misuse.yml b/data/app-engine/misuses/2/misuse.yml new file mode 100644 index 000000000..77628ece6 --- /dev/null +++ b/data/app-engine/misuses/2/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/transformation +description: > + First parameter (with value "AES") should be any of AES/{CBC, GCM, PCBC, CTR, CTS, CFB, OFB} +location: + file: com/appengine/common/encrypt/AESEncrypter.java + method: "decrypt(String)" + line: 73 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/app-engine/misuses/3/misuse.yml b/data/app-engine/misuses/3/misuse.yml new file mode 100644 index 000000000..c3368e815 --- /dev/null +++ b/data/app-engine/misuses/3/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.spec.SecretKeySpec +violations: +- insecure/condition/randomization +description: > + First parameter was not properly randomized +location: + file: com/appengine/common/encrypt/AESEncrypter.java + method: "loadAesKey(String)" + line: 98 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/app-engine/misuses/4/misuse.yml b/data/app-engine/misuses/4/misuse.yml new file mode 100644 index 000000000..2b2e0dfaa --- /dev/null +++ b/data/app-engine/misuses/4/misuse.yml @@ -0,0 +1,16 @@ +api: +- java.security.MessageDigest +violations: +- insecure/condition/transformation +description: > + First parameter can have values either MD5 or SHA1 but they should be any of AES/{CBC, GCM, PCBC, CTR, CTS, CFB, OFB} +location: + file: com/appengine/common/encrypt/Digests.java + method: "digest(InputStream, String)" + line: 95 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/app-engine/project.yml b/data/app-engine/project.yml new file mode 100644 index 000000000..2d6d832bc --- /dev/null +++ b/data/app-engine/project.yml @@ -0,0 +1,5 @@ +name: app-engine +repository: + type: git + url: https://github.com/sofn/app-engine +url: https://github.com/sofn/app-engine \ No newline at end of file diff --git a/data/app-engine/versions/db6d288/version.yml b/data/app-engine/versions/db6d288/version.yml new file mode 100644 index 000000000..32a0090b5 --- /dev/null +++ b/data/app-engine/versions/db6d288/version.yml @@ -0,0 +1,11 @@ +build: + classes: app-engine/common/$gradle.default.classes + commands: + - gradle compileJava + src: app-engine/common/src/main/java +misuses: +- '1' +- '2' +- '3' +- '4' +revision: db6d288c182cbda5b4d535be5c95f196c4e5aa9b diff --git a/data/aws-sdk-java-v2/misuses/1/misuse.yml b/data/aws-sdk-java-v2/misuses/1/misuse.yml new file mode 100644 index 000000000..c0ebd5030 --- /dev/null +++ b/data/aws-sdk-java-v2/misuses/1/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.spec.SecretKeySpec +violations: +- insecure/condition/randomization +description: > + First parameter while creating SecretKeySpec object i.e. new SecretKeySpec(byte[],SigningAlgorithm) was not properly randomized +location: + file: software/amazon/awssdk/auth/signer/internal/AbstractAwsSigner.java + method: "sign(byte[], byte[], SigningAlgorithm)" + line: 146 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/aws-sdk-java-v2/project.yml b/data/aws-sdk-java-v2/project.yml new file mode 100644 index 000000000..44e29a5e4 --- /dev/null +++ b/data/aws-sdk-java-v2/project.yml @@ -0,0 +1,5 @@ +name: aws-sdk-java-v2 +repository: + type: git + url: https://github.com/aws/aws-sdk-java-v2 +url: https://github.com/aws/aws-sdk-java-v2 \ No newline at end of file diff --git a/data/aws-sdk-java-v2/versions/ffb8095/version.yml b/data/aws-sdk-java-v2/versions/ffb8095/version.yml new file mode 100644 index 000000000..e71bd9500 --- /dev/null +++ b/data/aws-sdk-java-v2/versions/ffb8095/version.yml @@ -0,0 +1,8 @@ +build: + classes: core/auth/$mvn.default.classes + commands: + - mvn -pl :aws-core -am clean compile + src: core/auth/src/main/java/ +misuses: +- '1' +revision: ffb8095cab661a1f5318cb217eddde250626e44f diff --git a/data/biglybt-core/misuses/1/misuse.yml b/data/biglybt-core/misuses/1/misuse.yml new file mode 100644 index 000000000..1dafb029c --- /dev/null +++ b/data/biglybt-core/misuses/1/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.spec.SecretKeySpec +violations: +- insecure/condition/randomization +description: > + First parameter while creating the SecretKeySpec objecct i.e. new SecretKeySpec(byte[], String) was not properly randomized +location: + file: com/biglybt/core/pairing/impl/PairingManagerTunnelHandler.java + method: "process(InetSocketAddress, Map)" + line: 479 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/biglybt-core/misuses/2/misuse.yml b/data/biglybt-core/misuses/2/misuse.yml new file mode 100644 index 000000000..069fb3163 --- /dev/null +++ b/data/biglybt-core/misuses/2/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.spec.SecretKeySpec +violations: +- insecure/condition/randomization +description: > + First parameter while creating the SecretKeySpec objecct i.e. new SecretKeySpec(byte[], String) was not properly randomized +location: + file: com/biglybt/core/pairing/impl/PairingManagerTunnelHandler.java + method: "handleLocalTunnel(TrackerWebPageRequest, TrackerWebPageResponse)" + line: 960 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/biglybt-core/project.yml b/data/biglybt-core/project.yml new file mode 100644 index 000000000..b1d7b0934 --- /dev/null +++ b/data/biglybt-core/project.yml @@ -0,0 +1,5 @@ +name: biglybt-core +repository: + type: git + url: https://github.com/BiglySoftware/BiglyBT +url: https://github.com/BiglySoftware/BiglyBT \ No newline at end of file diff --git a/data/biglybt-core/versions/5b539aa/version.yml b/data/biglybt-core/versions/5b539aa/version.yml new file mode 100644 index 000000000..5864db9d1 --- /dev/null +++ b/data/biglybt-core/versions/5b539aa/version.yml @@ -0,0 +1,9 @@ +build: + classes: core/$mvn.default.classes + commands: + - mvn compile + src: core/src/ +misuses: +- '1' +- '2' +revision: 5b539aa0b92aaaa3000580b73ec97b0c70c2e645 diff --git a/data/biglybt-ui/misuses/1/misuse.yml b/data/biglybt-ui/misuses/1/misuse.yml new file mode 100644 index 000000000..27fa49e9b --- /dev/null +++ b/data/biglybt-ui/misuses/1/misuse.yml @@ -0,0 +1,16 @@ +api: +- java.security.MessageDigest +violations: +- insecure/condition/transformation +description: > + First parameter in MessageDigest.getInstance(String) is with value "SHA1" which should be any of {SHA-256, SHA-384, SHA-512}. +location: + file: com/biglybt/ui/swt/views/tableitems/files/FileHashItemBase.java + method: "runSupport()" + line: 280 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/biglybt-ui/misuses/2/misuse.yml b/data/biglybt-ui/misuses/2/misuse.yml new file mode 100644 index 000000000..2b2500be9 --- /dev/null +++ b/data/biglybt-ui/misuses/2/misuse.yml @@ -0,0 +1,16 @@ +api: +- java.security.MessageDigest +violations: +- insecure/condition/transformation +description: > + First parameter in MessageDigest.getInstance(String) is with value "md5" which should be any of {SHA-256, SHA-384, SHA-512}. +location: + file: com/biglybt/ui/swt/views/tableitems/files/FileHashItemBase.java + method: "runSupport()" + line: 276 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/biglybt-ui/misuses/3/misuse.yml b/data/biglybt-ui/misuses/3/misuse.yml new file mode 100644 index 000000000..0b2defb0d --- /dev/null +++ b/data/biglybt-ui/misuses/3/misuse.yml @@ -0,0 +1,16 @@ +api: +- java.security.MessageDigest +violations: +- insecure/condition/transformation +description: > + First parameter in MessageDigest.getInstance(String) is with value "md5" which should be any of {SHA-256, SHA-384, SHA-512}. +location: + file: com/biglybt/ui/swt/config/PasswordParameter.java + method: "handleEvent(Event)" + line: 89 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/biglybt-ui/project.yml b/data/biglybt-ui/project.yml new file mode 100644 index 000000000..73afd4751 --- /dev/null +++ b/data/biglybt-ui/project.yml @@ -0,0 +1,5 @@ +name: biglybt-ui +repository: + type: git + url: https://github.com/BiglySoftware/BiglyBT +url: https://github.com/BiglySoftware/BiglyBT \ No newline at end of file diff --git a/data/biglybt-ui/versions/5b539aa/version.yml b/data/biglybt-ui/versions/5b539aa/version.yml new file mode 100644 index 000000000..328d7f4bb --- /dev/null +++ b/data/biglybt-ui/versions/5b539aa/version.yml @@ -0,0 +1,10 @@ +build: + classes: uis/$mvn.default.classes + commands: + - mvn compile + src: uis/src/ +misuses: +- '1' +- '2' +- '3' +revision: 5b539aa0b92aaaa3000580b73ec97b0c70c2e645 diff --git a/data/bt/misuses/1/misuse.yml b/data/bt/misuses/1/misuse.yml new file mode 100644 index 000000000..aa1a2422f --- /dev/null +++ b/data/bt/misuses/1/misuse.yml @@ -0,0 +1,16 @@ +api: +- java.security.MessageDigest +violations: +- insecure/condition/transformation +description: > + First parameter in MessageDigest.getInstance(String) is with value "SHA-1" which should be any of {SHA-256, SHA-384, SHA-512}. +location: + file: bt/service/CryptoUtil.java + method: "getSha1Digest(byte[])" + line: 39 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/bt/misuses/2/misuse.yml b/data/bt/misuses/2/misuse.yml new file mode 100644 index 000000000..11db2cab0 --- /dev/null +++ b/data/bt/misuses/2/misuse.yml @@ -0,0 +1,16 @@ +api: +- java.security.MessageDigest +violations: +- insecure/condition/transformation +description: > + First parameter in MessageDigest.getInstance(String) is with value "SHA-1" which should be any of {SHA-256, SHA-384, SHA-512}. +location: + file: bt/protocol/crypto/MSECipher.java + method: "getDigest(String)" + line: 133 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/bt/misuses/3/misuse.yml b/data/bt/misuses/3/misuse.yml new file mode 100644 index 000000000..dfcadefd8 --- /dev/null +++ b/data/bt/misuses/3/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.spec.SecretKeySpec +violations: +- insecure/condition/randomization +description: > + First parameter while creating the SecretKeySpec object was not properly randomized +location: + file: bt/protocol/crypto/MSECipher.java + method: "getEncryptionKey(String, byte[], byte[])" + line: 128 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/bt/project.yml b/data/bt/project.yml new file mode 100644 index 000000000..e78f1715e --- /dev/null +++ b/data/bt/project.yml @@ -0,0 +1,5 @@ +name: bt +repository: + type: git + url: https://github.com/atomashpolskiy/bt +url: https://github.com/atomashpolskiy/bt \ No newline at end of file diff --git a/data/bt/versions/3cde897/version.yml b/data/bt/versions/3cde897/version.yml new file mode 100644 index 000000000..b7ecf59f1 --- /dev/null +++ b/data/bt/versions/3cde897/version.yml @@ -0,0 +1,10 @@ +build: + classes: bt-core/$mvn.default.classes + commands: + - mvn compile + src: bt-core/src/main/java/ +misuses: +- '1' +- '2' +- '3' +revision: 3cde897bf959d68958ec44277e2d134bfe51be3a diff --git a/data/datasets.yml b/data/datasets.yml index bd6012300..6d0fa887f 100644 --- a/data/datasets.yml +++ b/data/datasets.yml @@ -107,7 +107,7 @@ JCA-Changes-GH: # All misuses identified among mined changes to Cipher usages on - alibaba-druid.e10f28.2 - android-rcs-rcsjta.04d847.1 -JCA-Changes-SF: # All misuses identified among mined changes to Cipher usages on SourceForge. +JCA-Changes-SF: # All misuses identified among mined changes to Cipher usages on SourceForge. - adempiere.1312.1 - adempiere.1312.2 - battleforge.878.1 @@ -788,3 +788,455 @@ JCA-All: # All JCA misuses. - jmrtd.67.2 - pawotag.82.1 - tab-apps.62.1 + + +JCA-Param-All: # All parametric cryptographic misuses identified in the set. +# Currently, the dataset has projects which did not compile in MUBench due to issue [#409](https://github.com/stg-tud/MUBench/issues/409). + - abixen-platform.99fe499.1 + - abixen-platform.99fe499.2 + - abixen-platform.99fe499.3 + - abixen-platform.99fe499.4 + - abixen-platform.99fe499.5 + - abixen-platform.99fe499.6 + - abixen-platform.99fe499.7 + - abixen-platform.99fe499.8 + - abixen-platform.99fe499.9 + - aliyun-oss-java-sdk.196cf71.1 + - aliyun-oss-java-sdk.196cf71.2 + - and-res-guard.f2c72f0.1 + - and-res-guard.f2c72f0.2 + - app-engine.db6d288.1 + - app-engine.db6d288.2 + - app-engine.db6d288.3 + - app-engine.db6d288.4 + - aws-sdk-java-v2.ffb8095.1 + - biglybt-core.5b539aa.1 + - biglybt-core.5b539aa.2 + - biglybt-ui.5b539aa.1 + - biglybt-ui.5b539aa.2 + - biglybt-ui.5b539aa.3 + - bt.3cde897.1 + - bt.3cde897.2 + - bt.3cde897.3 + - dbeaver-core.db3a8c3.1 + - dbeaver-import.db3a8c3.1 + - dbeaver-import.db3a8c3.2 + - dbeaver-import.db3a8c3.3 + - dbeaver-import.db3a8c3.4 + - dbeaver-import.db3a8c3.5 + - dbeaver-import.db3a8c3.6 + - dble.dbf6360.1 + - dragonite-java.e26ffff.2 + - dubbo3.a3fa2db.1 + - dubbo3.a3fa2db.2 + - everyone-java-blog.dcf0ac3.1 + - everyone-java-blog.dcf0ac3.2 + - everyone-java-blog.dcf0ac3.3 + - everyone-java-blog.dcf0ac3.4 + - fast-boot-weixin.c47a650.1 + - fast-boot-weixin.c47a650.2 + - fast-boot-weixin.c47a650.3 + - fast-boot-weixin.c47a650.4 + - fast-boot-weixin.c47a650.5 + - fast-boot-weixin.c47a650.6 + - game-server.6d7d450.1 + - game-server.6d7d450.2 + - game-server.6d7d450.3 + - game-server.6d7d450.4 + - ha-bridge.c25f08f.1 + - ha-bridge.c25f08f.2 + - ha-bridge.c25f08f.3 + - ha-bridge.c25f08f.4 + - ha-bridge.c25f08f.5 + - ha-bridge.c25f08f.6 + - ha-bridge.c25f08f.7 + - ha-bridge.c25f08f.8 + - hsweb-framework.7bc7090.1 + - ijpay.a372a7a.1 + - ijpay.a372a7a.2 + - ijpay.a372a7a.3 + - ijpay.a372a7a.4 + - ijpay.a372a7a.5 + - ijpay.a372a7a.6 + - ijpay.a372a7a.7 + - ijpay.a372a7a.8 + - instagram4j.ae85b2b.1 + - j360-dubbo-app-all.fc32b0b.1 + - j360-dubbo-app-all.fc32b0b.2 + - j360-dubbo-app-all.fc32b0b.3 + - j360-dubbo-app-all.fc32b0b.4 + - j360-dubbo-app-all.fc32b0b.5 + - java-telegram-bot-api.04fbbbb.1 + - jeesuite-libs.2a545bd.1 + - jeesuite-libs.2a545bd.2 + - jeesuite-libs.2a545bd.3 + - jeesuite-libs.2a545bd.4 + - jeesuite-libs.2a545bd.5 + - jeesuite-libs.2a545bd.6 + - jeesuite-libs.2a545bd.7 + - jeesuite-libs.2a545bd.8 + - jeesuite-libs.2a545bd.9 + - job-x.414503f.1 + - job-x.414503f.10 + - job-x.414503f.11 + - job-x.414503f.12 + - job-x.414503f.13 + - job-x.414503f.14 + - job-x.414503f.2 + - job-x.414503f.3 + - job-x.414503f.4 + - job-x.414503f.5 + - job-x.414503f.6 + - job-x.414503f.7 + - job-x.414503f.8 + - job-x.414503f.9 + - lucene-solr.928b92c.1 + - lucene-solr.928b92c.2 + - lucene-solr.928b92c.3 + - lucene-solr.928b92c.4 + - mpush.f8d5c97.1 + - mpush.f8d5c97.2 + - mpush.f8d5c97.3 + - mpush.f8d5c97.4 + - mpush.f8d5c97.5 + - mpush.f8d5c97.6 + - mpush.f8d5c97.7 + - my-blog.2da238a.1 + - my-blog.2da238a.2 + - my-blog.2da238a.3 + - my-blog.2da238a.4 + - my-blog.2da238a.5 + - my-blog.2da238a.6 + - my-blog.2da238a.7 + - nettygameserver.c069be1.1 + - nettygameserver.c069be1.2 + - nettygameserver.c069be1.3 + - nettygameserver.c069be1.4 + - pig.579bc2c.1 + - pig.579bc2c.2 + - pig.579bc2c.3 + - pig.579bc2c.4 + - protools.2ae1f34.1 + - protools.2ae1f34.2 + - protools.2ae1f34.3 + - protools.2ae1f34.4 + - protools.2ae1f34.5 + - protools.2ae1f34.6 + - protools.2ae1f34.7 + - protools.2ae1f34.8 + - public-cms.f2c72f0.1 + - public-cms.f2c72f0.2 + - public-cms.f2c72f0.3 + - public-cms.f2c72f0.4 + - public-cms.f2c72f0.5 + - public-cms.f2c72f0.6 + - public-cms.f2c72f0.7 + - public-cms.f2c72f0.8 + - public-cms.f2c72f0.9 + - saturn-console-api.69bb353.1 + - saturn-console-core.69bb353.1 + - smart.9e018a6.1 + - smart.9e018a6.2 + - smart.9e018a6.3 + - smart.9e018a6.4 + - smart.9e018a6.5 + - smart.9e018a6.6 + - smart.9e018a6.7 + - smart.9e018a6.8 + - spring-boot-quick.10c213e.1 + - spring-boot-quick.10c213e.2 + - spring-boot-student.3b10f43.1 + - spring-boot-student.3b10f43.2 + - spring-boot-student.3b10f43.3 + - spring-boot-student.3b10f43.4 + - spring-boot-student.3b10f43.5 + - spring-boot-student.3b10f43.6 + - symmetric-ds.c42f0e0.1 + - symmetric-ds.c42f0e0.2 + - symmetric-ds.c42f0e0.3 + - telegram-server.25316b0.1 + - telegram-server.25316b0.2 + - telegram-server.25316b0.3 + - telegram-server.25316b0.4 + - telegram-server.25316b0.5 + - telegram-server.25316b0.6 + - telegram-server.25316b0.7 + - telegram-server.25316b0.8 + - telegram-server.25316b0.9 + - tls-attacker.6d4de77.1 + - tls-attacker.6d4de77.10 + - tls-attacker.6d4de77.2 + - tls-attacker.6d4de77.3 + - tls-attacker.6d4de77.4 + - tls-attacker.6d4de77.5 + - tls-attacker.6d4de77.6 + - tls-attacker.6d4de77.7 + - tls-attacker.6d4de77.8 + - tls-attacker.6d4de77.9 + - vjtools.784be0a.1 + - vjtools.784be0a.2 + - whatsmars.917b029.1 + - whatsmars.917b029.10 + - whatsmars.917b029.11 + - whatsmars.917b029.12 + - whatsmars.917b029.13 + - whatsmars.917b029.2 + - whatsmars.917b029.3 + - whatsmars.917b029.4 + - whatsmars.917b029.5 + - whatsmars.917b029.6 + - whatsmars.917b029.7 + - whatsmars.917b029.8 + - whatsmars.917b029.9 + - zheng.11f2e86.1 + - zheng.11f2e86.2 + - zheng.11f2e86.3 + +JCA-Param-WithoutGradle: # All parametric cryptographic misuses without the projects which did not compile in MUBench due to issue [#409](https://github.com/stg-tud/MUBench/issues/409) + - aliyun-oss-java-sdk.196cf71.1 + - aliyun-oss-java-sdk.196cf71.2 + - aws-sdk-java-v2.ffb8095.1 + - biglybt-core.5b539aa.1 + - biglybt-core.5b539aa.2 + - biglybt-ui.5b539aa.1 + - biglybt-ui.5b539aa.2 + - biglybt-ui.5b539aa.3 + - bt.3cde897.1 + - bt.3cde897.2 + - bt.3cde897.3 + - dbeaver-core.db3a8c3.1 + - dbeaver-import.db3a8c3.1 + - dbeaver-import.db3a8c3.2 + - dbeaver-import.db3a8c3.3 + - dbeaver-import.db3a8c3.4 + - dbeaver-import.db3a8c3.5 + - dbeaver-import.db3a8c3.6 + - dble.dbf6360.1 + - dragonite-java.e26ffff.2 + - dubbo3.a3fa2db.1 + - dubbo3.a3fa2db.2 + - everyone-java-blog.dcf0ac3.1 + - everyone-java-blog.dcf0ac3.2 + - everyone-java-blog.dcf0ac3.3 + - everyone-java-blog.dcf0ac3.4 + - fast-boot-weixin.c47a650.1 + - fast-boot-weixin.c47a650.2 + - fast-boot-weixin.c47a650.3 + - fast-boot-weixin.c47a650.4 + - fast-boot-weixin.c47a650.5 + - fast-boot-weixin.c47a650.6 + - game-server.6d7d450.1 + - game-server.6d7d450.2 + - game-server.6d7d450.3 + - game-server.6d7d450.4 + - ha-bridge.c25f08f.1 + - ha-bridge.c25f08f.2 + - ha-bridge.c25f08f.3 + - ha-bridge.c25f08f.4 + - ha-bridge.c25f08f.5 + - ha-bridge.c25f08f.6 + - ha-bridge.c25f08f.7 + - ha-bridge.c25f08f.8 + - hsweb-framework.7bc7090.1 + - ijpay.a372a7a.1 + - ijpay.a372a7a.2 + - ijpay.a372a7a.3 + - ijpay.a372a7a.4 + - ijpay.a372a7a.5 + - ijpay.a372a7a.6 + - ijpay.a372a7a.7 + - ijpay.a372a7a.8 + - instagram4j.ae85b2b.1 + - j360-dubbo-app-all.fc32b0b.1 + - j360-dubbo-app-all.fc32b0b.2 + - j360-dubbo-app-all.fc32b0b.3 + - j360-dubbo-app-all.fc32b0b.4 + - j360-dubbo-app-all.fc32b0b.5 + - jeesuite-libs.2a545bd.1 + - jeesuite-libs.2a545bd.2 + - jeesuite-libs.2a545bd.3 + - jeesuite-libs.2a545bd.4 + - jeesuite-libs.2a545bd.5 + - jeesuite-libs.2a545bd.6 + - jeesuite-libs.2a545bd.7 + - jeesuite-libs.2a545bd.8 + - jeesuite-libs.2a545bd.9 + - job-x.414503f.1 + - job-x.414503f.10 + - job-x.414503f.11 + - job-x.414503f.12 + - job-x.414503f.13 + - job-x.414503f.14 + - job-x.414503f.2 + - job-x.414503f.3 + - job-x.414503f.4 + - job-x.414503f.5 + - job-x.414503f.6 + - job-x.414503f.7 + - job-x.414503f.8 + - job-x.414503f.9 + - lucene-solr.928b92c.1 + - lucene-solr.928b92c.2 + - lucene-solr.928b92c.3 + - lucene-solr.928b92c.4 + - mpush.f8d5c97.1 + - mpush.f8d5c97.2 + - mpush.f8d5c97.3 + - mpush.f8d5c97.4 + - mpush.f8d5c97.5 + - mpush.f8d5c97.6 + - mpush.f8d5c97.7 + - my-blog.2da238a.1 + - my-blog.2da238a.2 + - my-blog.2da238a.3 + - my-blog.2da238a.4 + - my-blog.2da238a.5 + - my-blog.2da238a.6 + - my-blog.2da238a.7 + - nettygameserver.c069be1.1 + - nettygameserver.c069be1.2 + - nettygameserver.c069be1.3 + - nettygameserver.c069be1.4 + - pig.579bc2c.1 + - pig.579bc2c.2 + - pig.579bc2c.3 + - pig.579bc2c.4 + - protools.2ae1f34.1 + - protools.2ae1f34.2 + - protools.2ae1f34.3 + - protools.2ae1f34.4 + - protools.2ae1f34.5 + - protools.2ae1f34.6 + - protools.2ae1f34.7 + - protools.2ae1f34.8 + - saturn-console-api.69bb353.1 + - saturn-console-core.69bb353.1 + - smart.9e018a6.1 + - smart.9e018a6.2 + - smart.9e018a6.3 + - smart.9e018a6.4 + - smart.9e018a6.5 + - smart.9e018a6.6 + - smart.9e018a6.7 + - smart.9e018a6.8 + - spring-boot-quick.10c213e.1 + - spring-boot-quick.10c213e.2 + - spring-boot-student.3b10f43.1 + - spring-boot-student.3b10f43.2 + - spring-boot-student.3b10f43.3 + - spring-boot-student.3b10f43.4 + - spring-boot-student.3b10f43.5 + - spring-boot-student.3b10f43.6 + - tls-attacker.6d4de77.1 + - tls-attacker.6d4de77.10 + - tls-attacker.6d4de77.2 + - tls-attacker.6d4de77.3 + - tls-attacker.6d4de77.4 + - tls-attacker.6d4de77.5 + - tls-attacker.6d4de77.6 + - tls-attacker.6d4de77.7 + - tls-attacker.6d4de77.8 + - tls-attacker.6d4de77.9 + - vjtools.784be0a.1 + - vjtools.784be0a.2 + - whatsmars.917b029.1 + - whatsmars.917b029.10 + - whatsmars.917b029.11 + - whatsmars.917b029.12 + - whatsmars.917b029.13 + - whatsmars.917b029.2 + - whatsmars.917b029.3 + - whatsmars.917b029.4 + - whatsmars.917b029.5 + - whatsmars.917b029.6 + - whatsmars.917b029.7 + - whatsmars.917b029.8 + - whatsmars.917b029.9 + - zheng.11f2e86.1 + - zheng.11f2e86.2 + - zheng.11f2e86.3 + +### +### The dataset used for the experiments in the MSR'19 paper, +#### + +MSR19-FindBugs-Exp2-and-Exp3: + - ha-bridge.c25f08f.1 + - ha-bridge.c25f08f.2 + - ha-bridge.c25f08f.3 + - ha-bridge.c25f08f.4 + - ha-bridge.c25f08f.5 + - ha-bridge.c25f08f.6 + - ha-bridge.c25f08f.7 + - ha-bridge.c25f08f.8 + - ijpay.a372a7a.1 + - ijpay.a372a7a.2 + - ijpay.a372a7a.3 + - ijpay.a372a7a.4 + - ijpay.a372a7a.5 + - ijpay.a372a7a.6 + - ijpay.a372a7a.7 + - ijpay.a372a7a.8 + - jeesuite-libs.2a545bd.1 + - jeesuite-libs.2a545bd.2 + - jeesuite-libs.2a545bd.3 + - jeesuite-libs.2a545bd.4 + - jeesuite-libs.2a545bd.5 + - jeesuite-libs.2a545bd.6 + - jeesuite-libs.2a545bd.7 + - jeesuite-libs.2a545bd.8 + - jeesuite-libs.2a545bd.9 + - job-x.414503f.1 + - job-x.414503f.10 + - job-x.414503f.11 + - job-x.414503f.12 + - job-x.414503f.13 + - job-x.414503f.14 + - job-x.414503f.2 + - job-x.414503f.3 + - job-x.414503f.4 + - job-x.414503f.5 + - job-x.414503f.6 + - job-x.414503f.7 + - job-x.414503f.8 + - job-x.414503f.9 + - my-blog.2da238a.1 + - my-blog.2da238a.2 + - my-blog.2da238a.3 + - my-blog.2da238a.4 + - my-blog.2da238a.5 + - my-blog.2da238a.6 + - my-blog.2da238a.7 + - nettygameserver.c069be1.1 + - nettygameserver.c069be1.2 + - nettygameserver.c069be1.3 + - nettygameserver.c069be1.4 + - spring-boot-quick.10c213e.1 + - spring-boot-quick.10c213e.2 + - spring-boot-student.3b10f43.1 + - spring-boot-student.3b10f43.2 + - spring-boot-student.3b10f43.3 + - spring-boot-student.3b10f43.4 + - spring-boot-student.3b10f43.5 + - spring-boot-student.3b10f43.6 + - smart.9e018a6.1 + - smart.9e018a6.2 + - smart.9e018a6.3 + - smart.9e018a6.4 + - smart.9e018a6.5 + - smart.9e018a6.6 + - smart.9e018a6.7 + - smart.9e018a6.8 + - whatsmars.917b029.1 + - whatsmars.917b029.10 + - whatsmars.917b029.11 + - whatsmars.917b029.12 + - whatsmars.917b029.13 + - whatsmars.917b029.2 + - whatsmars.917b029.3 + - whatsmars.917b029.4 + - whatsmars.917b029.5 + - whatsmars.917b029.6 + - whatsmars.917b029.7 + - whatsmars.917b029.8 + - whatsmars.917b029.9 diff --git a/data/dbeaver-core/misuses/1/misuse.yml b/data/dbeaver-core/misuses/1/misuse.yml new file mode 100644 index 000000000..7987918a9 --- /dev/null +++ b/data/dbeaver-core/misuses/1/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/transformation +description: > + First parameter in Cipher.getInstance(String) is with value "DES" which should be any of {AES, Blowfish, DESede, PBEWithHmacSHA224AndAES_128, PBEWithHmacSHA256AndAES_128, PBEWithHmacSHA384AndAES_128, PBEWithHmacSHA512AndAES_128, PBEWithHmacSHA224AndAES_256, PBEWithHmacSHA256AndAES_256, PBEWithHmacSHA384AndAES_256, PBEWithHmacSHA512AndAES_256, RSA} +location: + file: org/jkiss/dbeaver/registry/encode/SecuredPasswordEncrypter.java + method: "SecuredPasswordEncrypter(String)" + line: 66 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/dbeaver-core/project.yml b/data/dbeaver-core/project.yml new file mode 100644 index 000000000..8d811cf8c --- /dev/null +++ b/data/dbeaver-core/project.yml @@ -0,0 +1,5 @@ +name: dbeaver-core +repository: + type: git + url: https://github.com/dbeaver/dbeaver +url: https://github.com/dbeaver/dbeaver \ No newline at end of file diff --git a/data/dbeaver-core/versions/db3a8c3/version.yml b/data/dbeaver-core/versions/db3a8c3/version.yml new file mode 100644 index 000000000..141bfff7a --- /dev/null +++ b/data/dbeaver-core/versions/db3a8c3/version.yml @@ -0,0 +1,8 @@ +build: + classes: plugins/org.jkiss.dbeaver.core/$mvn.default.classes + commands: + - mvn package + src: plugins/org.jkiss.dbeaver.core/src/ +misuses: +- '1' +revision: db3a8c38d460b92977b808cbc43ab08e6ab956fc diff --git a/data/dbeaver-import/misuses/1/misuse.yml b/data/dbeaver-import/misuses/1/misuse.yml new file mode 100644 index 000000000..a3dec688e --- /dev/null +++ b/data/dbeaver-import/misuses/1/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/transformation +description: > + First parameter in Cipher.getInstance(String) is with value "Blowfish/ECB/NoPadding" which should be any of Blowfish/{CBC, PCBC, CTR, CTS, CFB, OFB}. +location: + file: org/jkiss/dbeaver/ext/import_config/wizards/navicat/NavicatEncrypt.java + method: "initChiperEncrypt()" + line: 51 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/dbeaver-import/misuses/2/misuse.yml b/data/dbeaver-import/misuses/2/misuse.yml new file mode 100644 index 000000000..f765832cc --- /dev/null +++ b/data/dbeaver-import/misuses/2/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/key +description: > + Second parameter while initializing the Cipher object was not properly generatedKey. +location: + file: org/jkiss/dbeaver/ext/import_config/wizards/navicat/NavicatEncrypt.java + method: "initChiperEncrypt()" + line: 52 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/dbeaver-import/misuses/3/misuse.yml b/data/dbeaver-import/misuses/3/misuse.yml new file mode 100644 index 000000000..a1baf4e59 --- /dev/null +++ b/data/dbeaver-import/misuses/3/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/transformation +description: > + First parameter in Cipher.getInstance(String) is with value "Blowfish/ECB/NoPadding" which should be any of Blowfish/{CBC, PCBC, CTR, CTS, CFB, OFB}. +location: + file: org/jkiss/dbeaver/ext/import_config/wizards/navicat/NavicatEncrypt.java + method: "initChiperDecrypt()" + line: 63 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/dbeaver-import/misuses/4/misuse.yml b/data/dbeaver-import/misuses/4/misuse.yml new file mode 100644 index 000000000..c3e1c57db --- /dev/null +++ b/data/dbeaver-import/misuses/4/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/key +description: > + Second parameter while initializing the Cipher object was not properly generatedKey. +location: + file: org/jkiss/dbeaver/ext/import_config/wizards/navicat/NavicatEncrypt.java + method: "initChiperDecrypt()" + line: 64 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/dbeaver-import/misuses/5/misuse.yml b/data/dbeaver-import/misuses/5/misuse.yml new file mode 100644 index 000000000..c46a1f02b --- /dev/null +++ b/data/dbeaver-import/misuses/5/misuse.yml @@ -0,0 +1,16 @@ +api: +- java.security.MessageDigest +violations: +- insecure/condition/transformation +description: > + First parameter in MessageDigest.getInstance(String) is with value "SHA1" which should be any of {SHA-256, SHA-384, SHA-512}. +location: + file: org/jkiss/dbeaver/ext/import_config/wizards/navicat/NavicatEncrypt.java + method: "initKey()" + line: 37 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/dbeaver-import/misuses/6/misuse.yml b/data/dbeaver-import/misuses/6/misuse.yml new file mode 100644 index 000000000..c8da7339c --- /dev/null +++ b/data/dbeaver-import/misuses/6/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.spec.SecretKeySpec +violations: +- insecure/condition/randomization +description: > + First parameter while initializing the SecretKeySpec object was not properly randomized. +location: + file: org/jkiss/dbeaver/ext/import_config/wizards/navicat/NavicatEncrypt.java + method: "initKey()" + line: 40 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/dbeaver-import/project.yml b/data/dbeaver-import/project.yml new file mode 100644 index 000000000..44842e66d --- /dev/null +++ b/data/dbeaver-import/project.yml @@ -0,0 +1,5 @@ +name: dbeaver-import +repository: + type: git + url: https://github.com/dbeaver/dbeaver +url: https://github.com/dbeaver/dbeaver \ No newline at end of file diff --git a/data/dbeaver-import/versions/db3a8c3/version.yml b/data/dbeaver-import/versions/db3a8c3/version.yml new file mode 100644 index 000000000..813e6abb3 --- /dev/null +++ b/data/dbeaver-import/versions/db3a8c3/version.yml @@ -0,0 +1,13 @@ +build: + classes: plugins/org.jkiss.dbeaver.ext.import_config/$mvn.default.classes + commands: + - mvn package + src: plugins/org.jkiss.dbeaver.ext.import_config/src/ +misuses: +- '1' +- '2' +- '3' +- '4' +- '5' +- '6' +revision: db3a8c38d460b92977b808cbc43ab08e6ab956fc diff --git a/data/dble/misuses/1/misuse.yml b/data/dble/misuses/1/misuse.yml new file mode 100644 index 000000000..eccdd8c53 --- /dev/null +++ b/data/dble/misuses/1/misuse.yml @@ -0,0 +1,15 @@ +api: +- java.security.MessageDigest +violations: +- insecure/condition/transformation +description: > + First parameter in MessageDigest.getInstance(String) is with value "SHA-1" which should be any of {SHA-256, SHA-384, SHA-512}. +location: + file: com/actiontech/dble/backend/mysql/SecurityUtil.java + method: "scramble411(byte[], byte[])" + line: 21 +internal: false +pattern: +crash: false +source: + name: diff --git a/data/dble/project.yml b/data/dble/project.yml new file mode 100644 index 000000000..285696415 --- /dev/null +++ b/data/dble/project.yml @@ -0,0 +1,5 @@ +name: dble +repository: + type: git + url: https://github.com/actiontech/dble +url: https://github.com/actiontech/dble \ No newline at end of file diff --git a/data/dble/versions/dbf6360/version.yml b/data/dble/versions/dbf6360/version.yml new file mode 100644 index 000000000..4c785028f --- /dev/null +++ b/data/dble/versions/dbf6360/version.yml @@ -0,0 +1,9 @@ +build: + classes: $mvn.default.classes + commands: + - git stash + - mvn compile + src: src/main/java/ +misuses: +- '1' +revision: dbf6360515d09a4f3e9a65b6aa04d15b3a27cda9 diff --git a/data/dragonite-java/misuses/2/correct-usages/AES.java b/data/dragonite-java/misuses/2/correct-usages/AES.java new file mode 100644 index 000000000..e5ab31cf1 --- /dev/null +++ b/data/dragonite-java/misuses/2/correct-usages/AES.java @@ -0,0 +1,9 @@ +import javax.crypto.spec.IvParameterSpec; +import java.security.SecureRandom; + +public class ConstructRandomizedIV{ + public void pattern(int offset, int len) { + SecureRandom random = SecureRandom(); + IVParameterSpec iv = new IvParameterSpec(random); + } +} diff --git a/data/dragonite-java/misuses/2/misuse.yml b/data/dragonite-java/misuses/2/misuse.yml new file mode 100644 index 000000000..5808740f0 --- /dev/null +++ b/data/dragonite-java/misuses/2/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.spec.IvParameterSpec +violations: +- insecure/condition/randomization +description: | + The first parameter of the constructor of IVParameterSpec is not properly randomized. +location: + file: com/vecsight/dragonite/sdk/cryptor/AESCryptor.java + method: "decryptImpl(byte[])" + line: 76 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/dragonite-java/project.yml b/data/dragonite-java/project.yml new file mode 100644 index 000000000..d621b5c7d --- /dev/null +++ b/data/dragonite-java/project.yml @@ -0,0 +1,5 @@ +name: dragonite-java +repository: + type: git + url: https://github.com/dragonite-network/dragonite-java +url: https://github.com/dragonite-network/dragonite-java \ No newline at end of file diff --git a/data/dragonite-java/versions/e26ffff/version.yml b/data/dragonite-java/versions/e26ffff/version.yml new file mode 100644 index 000000000..c3fc97592 --- /dev/null +++ b/data/dragonite-java/versions/e26ffff/version.yml @@ -0,0 +1,8 @@ +build: + classes: dragonite-sdk/$gradle.default.classes + commands: + - gradle build + src: dragonite-sdk/src/ +misuses: +- '2' +revision: e26ffff0b0705ec72769bbd174b61df370f5ee2e diff --git a/data/dubbo3/misuses/1/misuse.yml b/data/dubbo3/misuses/1/misuse.yml new file mode 100644 index 000000000..30b45d6fd --- /dev/null +++ b/data/dubbo3/misuses/1/misuse.yml @@ -0,0 +1,16 @@ +api: +- java.security.MessageDigest +violations: +- insecure/condition/transformation +description: > + First parameter in Cipher.getInstance(String) is with value "SHA1" which should be any of {SHA-256, SHA-384, SHA-512}. +location: + file: com/alibaba/com/caucho/hessian/security/X509Encryption.java + method: "EncryptOutputStream(Hessian2Output)" + line: 211 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/dubbo3/misuses/2/misuse.yml b/data/dubbo3/misuses/2/misuse.yml new file mode 100644 index 000000000..044aee662 --- /dev/null +++ b/data/dubbo3/misuses/2/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/transformation +description: > + First parameter in Cipher.getInstance(String) is with value "AES" which should be any of AES/{CBC, GCM, PCBC, CTR, CTS, CFB, OFB}. +location: + file: com/alibaba/com/caucho/hessian/security/X509Encryption.java + method: "EncryptOutputStream(Hessian2Output)" + line: 237 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/dubbo3/project.yml b/data/dubbo3/project.yml new file mode 100644 index 000000000..75397d844 --- /dev/null +++ b/data/dubbo3/project.yml @@ -0,0 +1,5 @@ +name: dubbo3 +repository: + type: git + url: https://github.com/linux-china/dubbo3 +url: https://github.com/linux-china/dubbo3 \ No newline at end of file diff --git a/data/dubbo3/versions/a3fa2db/version.yml b/data/dubbo3/versions/a3fa2db/version.yml new file mode 100644 index 000000000..4e3d76dec --- /dev/null +++ b/data/dubbo3/versions/a3fa2db/version.yml @@ -0,0 +1,9 @@ +build: + classes: hessian-lite/$mvn.default.classes + commands: + - mvn -pl :hessian-lite -am clean install + src: hessian-lite/src/main/java/ +misuses: +- '1' +- '2' +revision: a3fa2dbf2d94e54c532a655f776f96f2492f0617 diff --git a/data/everyone-java-blog/misuses/1/misuse.yml b/data/everyone-java-blog/misuses/1/misuse.yml new file mode 100644 index 000000000..0b9db2a80 --- /dev/null +++ b/data/everyone-java-blog/misuses/1/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.SecretKeyFactory +violations: +- insecure/condition/transformation +description: > + cipherALG should be AES with key length between (128, 192, 256) instead of given DES +location: + file: com/zuoxiaolong/blog/common/utils/EncodeDecodeUtils.java + method: "encryptDes(String, String)" + line: 80 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/everyone-java-blog/misuses/2/misuse.yml b/data/everyone-java-blog/misuses/2/misuse.yml new file mode 100644 index 000000000..3113f5ac3 --- /dev/null +++ b/data/everyone-java-blog/misuses/2/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/transformation +description: > + First parameter in Cipher.getInstance(String) is with value "DES" which should be any of {AES, Blowfish, DESede, PBEWithHmacSHA224AndAES_128, PBEWithHmacSHA256AndAES_128, PBEWithHmacSHA384AndAES_128, PBEWithHmacSHA512AndAES_128, PBEWithHmacSHA224AndAES_256, PBEWithHmacSHA256AndAES_256, PBEWithHmacSHA384AndAES_256, PBEWithHmacSHA512AndAES_256, RSA} +location: + file: com/zuoxiaolong/blog/common/utils/EncodeDecodeUtils.java + method: "encryptDes(String, String)" + line: 82 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/everyone-java-blog/misuses/3/misuse.yml b/data/everyone-java-blog/misuses/3/misuse.yml new file mode 100644 index 000000000..80dffd56b --- /dev/null +++ b/data/everyone-java-blog/misuses/3/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/transformation +description: > + First parameter in Cipher.getInstance(String) is with value "DES" which should be any of {AES, Blowfish, DESede, PBEWithHmacSHA224AndAES_128, PBEWithHmacSHA256AndAES_128, PBEWithHmacSHA384AndAES_128, PBEWithHmacSHA512AndAES_128, PBEWithHmacSHA224AndAES_256, PBEWithHmacSHA256AndAES_256, PBEWithHmacSHA384AndAES_256, PBEWithHmacSHA512AndAES_256, RSA} +location: + file: com/zuoxiaolong/blog/common/utils/EncodeDecodeUtils.java + method: "decryptDes(String, String)" + line: 96 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/everyone-java-blog/misuses/4/misuse.yml b/data/everyone-java-blog/misuses/4/misuse.yml new file mode 100644 index 000000000..f34d2d6a0 --- /dev/null +++ b/data/everyone-java-blog/misuses/4/misuse.yml @@ -0,0 +1,16 @@ +api: +- java.security.MessageDigest +violations: +- insecure/condition/transformation +description: > + First parameter in MessageDigest.getInstance(String) is with value "MD5" which should be any of {SHA-256, SHA-384, SHA-512}. +location: + file: com/zuoxiaolong/blog/common/utils/EncodeDecodeUtils.java + method: "encodeByMd5(byte[])" + line: 112 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/everyone-java-blog/project.yml b/data/everyone-java-blog/project.yml new file mode 100644 index 000000000..f041f5d09 --- /dev/null +++ b/data/everyone-java-blog/project.yml @@ -0,0 +1,5 @@ +name: everyone-java-blog +repository: + type: git + url: https://github.com/xiaolongzuo/everyone-java-blog +url: https://github.com/xiaolongzuo/everyone-java-blog \ No newline at end of file diff --git a/data/everyone-java-blog/versions/dcf0ac3/version.yml b/data/everyone-java-blog/versions/dcf0ac3/version.yml new file mode 100644 index 000000000..61f0cff25 --- /dev/null +++ b/data/everyone-java-blog/versions/dcf0ac3/version.yml @@ -0,0 +1,11 @@ +build: + classes: blog-common/$mvn.default.classes + commands: + - mvn clean compile + src: blog-common/src/main/java/ +misuses: +- '1' +- '2' +- '3' +- '4' +revision: dcf0ac348ce946e9bb02a952334d28114f24f6cd diff --git a/data/fast-boot-weixin/misuses/1/misuse.yml b/data/fast-boot-weixin/misuses/1/misuse.yml new file mode 100644 index 000000000..436153b50 --- /dev/null +++ b/data/fast-boot-weixin/misuses/1/misuse.yml @@ -0,0 +1,15 @@ +api: +- javax.crypto.spec.IvParameterSpec +violations: +- insecure/condition/randomization +description: > + First parameter while creating IvParameterSpec object i.e. IvParameterSpec(byte[],int,int) was not properly randomized. +location: + file: com/mxixm/fastboot/weixin/service/WxXmlCryptoService.java + method: "afterPropertiesSet()" + line: 103 +internal: false +pattern: +crash: false +source: + name: diff --git a/data/fast-boot-weixin/misuses/2/misuse.yml b/data/fast-boot-weixin/misuses/2/misuse.yml new file mode 100644 index 000000000..363f8d76e --- /dev/null +++ b/data/fast-boot-weixin/misuses/2/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.spec.IvParameterSpec +violations: +- insecure/condition/randomization +description: > + First parameter while creating IvParameterSpec object i.e. IvParameterSpec(byte[],int,int) was not properly randomized. +location: + file: com/mxixm/fastboot/weixin/service/WxXmlCryptoService.java + method: "afterPropertiesSet()" + line: 108 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/fast-boot-weixin/misuses/3/misuse.yml b/data/fast-boot-weixin/misuses/3/misuse.yml new file mode 100644 index 000000000..9f2524cd7 --- /dev/null +++ b/data/fast-boot-weixin/misuses/3/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.spec.SecretKeySpec +violations: +- insecure/condition/randomization +description: > + First parameter while creating SecretKeySpec object i.e. SecretKeySpec(byte[],String) was not properly randomized. +location: + file: com/mxixm/fastboot/weixin/service/WxXmlCryptoService.java + method: "afterPropertiesSet()" + line: 100 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/fast-boot-weixin/misuses/4/misuse.yml b/data/fast-boot-weixin/misuses/4/misuse.yml new file mode 100644 index 000000000..00312e057 --- /dev/null +++ b/data/fast-boot-weixin/misuses/4/misuse.yml @@ -0,0 +1,15 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/transformation +description: > + First parameter in Cipher.getInstance(String) is with value "AES/CBC/NoPadding" which should be any of AES/CBC/{Empty String, PKCS7Padding, PKCS5Padding, ISO10126Padding}. +location: + file: com/mxixm/fastboot/weixin/service/WxXmlCryptoService.java + method: "afterPropertiesSet()" + line: 102 +internal: false +pattern: +crash: false +source: + name: diff --git a/data/fast-boot-weixin/misuses/5/misuse.yml b/data/fast-boot-weixin/misuses/5/misuse.yml new file mode 100644 index 000000000..9d6d93e8c --- /dev/null +++ b/data/fast-boot-weixin/misuses/5/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/transformation +description: > + First parameter in Cipher.getInstance(String) is with value "AES/CBC/NoPadding" which should be any of AES/CBC/{Empty String, PKCS7Padding, PKCS5Padding, ISO10126Padding}. +location: + file: com/mxixm/fastboot/weixin/service/WxXmlCryptoService.java + method: "afterPropertiesSet()" + line: 107 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/fast-boot-weixin/misuses/6/misuse.yml b/data/fast-boot-weixin/misuses/6/misuse.yml new file mode 100644 index 000000000..36df47eb2 --- /dev/null +++ b/data/fast-boot-weixin/misuses/6/misuse.yml @@ -0,0 +1,16 @@ +api: +- java.security.MessageDigest +violations: +- insecure/condition/transformation +description: > + First parameter in MessageDigest.getInstance(String) is with value "SHA-1" which should be any of {SHA-256, SHA-384, SHA-512} +location: + file: com/mxixm/fastboot/weixin/util/CryptUtils.java + method: "encryptSHA1(String)" + line: 57 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/fast-boot-weixin/project.yml b/data/fast-boot-weixin/project.yml new file mode 100644 index 000000000..2d4207948 --- /dev/null +++ b/data/fast-boot-weixin/project.yml @@ -0,0 +1,5 @@ +name: fast-boot-weixin +repository: + type: git + url: https://github.com/FastBootWeixin/FastBootWeixin +url: https://github.com/FastBootWeixin/FastBootWeixin \ No newline at end of file diff --git a/data/fast-boot-weixin/versions/c47a650/version.yml b/data/fast-boot-weixin/versions/c47a650/version.yml new file mode 100644 index 000000000..a2f9508ef --- /dev/null +++ b/data/fast-boot-weixin/versions/c47a650/version.yml @@ -0,0 +1,13 @@ +build: + classes: $mvn.default.classes + commands: + - mvn compile + src: src/main/java/ +misuses: +- '1' +- '2' +- '3' +- '4' +- '5' +- '6' +revision: c47a650c1b4effcf0b3c8fd18dca9889fa895812 diff --git a/data/game-server/misuses/1/misuse.yml b/data/game-server/misuses/1/misuse.yml new file mode 100644 index 000000000..f06ef3301 --- /dev/null +++ b/data/game-server/misuses/1/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/transformation +description: > + First parameter in Cipher.getInstance(String) is with value "AES/CBC/NoPadding" which should be any of AES/CBC/{Empty String, PKCS7Padding, PKCS5Padding, ISO10126Padding}. +location: + file: com/jzy/game/engine/mina/code/ClientProtocolDecoder.java + method: "decryptAES(byte[])" + line: 154 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/game-server/misuses/2/misuse.yml b/data/game-server/misuses/2/misuse.yml new file mode 100644 index 000000000..520006fd6 --- /dev/null +++ b/data/game-server/misuses/2/misuse.yml @@ -0,0 +1,16 @@ +api: +- java.security.MessageDigest +violations: +- insecure/condition/transformation +description: > + First parameter in MessageDigest.getInstance(String) is with value "MD5" which should be any of {SHA-256, SHA-384, SHA-512}. +location: + file: com/jzy/game/engine/util/CipherUtil.java + method: "md5(byte[])" + line: 16 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/game-server/misuses/3/misuse.yml b/data/game-server/misuses/3/misuse.yml new file mode 100644 index 000000000..2ffc5a9c0 --- /dev/null +++ b/data/game-server/misuses/3/misuse.yml @@ -0,0 +1,16 @@ +api: +- java.security.MessageDigest +violations: +- insecure/condition/transformation +description: > + First parameter in MessageDigest.getInstance(String) is with value "SHA-1" which should be any of {SHA-256, SHA-384, SHA-512}. +location: + file: com/jzy/game/engine/mina/websocket/WebSocketUtils.java + method: "getWebSocketKeyChallengeResponse(String)" + line: 52 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/game-server/misuses/4/misuse.yml b/data/game-server/misuses/4/misuse.yml new file mode 100644 index 000000000..6f6aac61a --- /dev/null +++ b/data/game-server/misuses/4/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.spec.IvParameterSpec +violations: +- insecure/condition/randomization +description: > + First parameter while creating IvParameterSpec object i.e. IvParameterSpec(byte[],int,int) was not properly randomized. +location: + file: com/jzy/game/engine/mina/code/ClientProtocolDecoder.java + method: "decryptAES(byte[])" + line: 156 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/game-server/project.yml b/data/game-server/project.yml new file mode 100644 index 000000000..209ce2bd1 --- /dev/null +++ b/data/game-server/project.yml @@ -0,0 +1,5 @@ +name: game-server +repository: + type: git + url: https://github.com/jzyong/game-server +url: https://github.com/jzyong/game-server \ No newline at end of file diff --git a/data/game-server/versions/6d7d450/version.yml b/data/game-server/versions/6d7d450/version.yml new file mode 100644 index 000000000..0db1e4249 --- /dev/null +++ b/data/game-server/versions/6d7d450/version.yml @@ -0,0 +1,11 @@ +build: + classes: game-engine/$mvn.default.classes + commands: + - mvn compile + src: game-engine/src/main/java/ +misuses: +- '1' +- '2' +- '3' +- '4' +revision: 6d7d4506b2dd51a14279e97982f3f988839eb34f diff --git a/data/ha-bridge/misuses/1/correct-usages/SecureCipherAlgSecretKeyFactory.javaw b/data/ha-bridge/misuses/1/correct-usages/SecureCipherAlgSecretKeyFactory.javaw new file mode 100644 index 000000000..066dba072 --- /dev/null +++ b/data/ha-bridge/misuses/1/correct-usages/SecureCipherAlgSecretKeyFactory.javaw @@ -0,0 +1,7 @@ +import javax.crypto.SecretKeyFactory; + +public class SecureCipherAlgSecretKeyFactory { + public static void pattern() { + SecretKeyFactory skf = SecretKeyFactory.getInstance("PBEWithHmacSHA512AndAES_128"); + } +} diff --git a/data/ha-bridge/misuses/1/misuse.yml b/data/ha-bridge/misuses/1/misuse.yml new file mode 100644 index 000000000..141c879cd --- /dev/null +++ b/data/ha-bridge/misuses/1/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.SecretKeyFactory +violations: +- insecure/condition/transformation +description: > + cipherALG in SecretKeyFactory.getInstance(String) should be AES with key length between (128, 192, 256) instead of given PBEWithMD5AndDES. +location: + file: com/bwssystems/HABridge/BridgeSecurity.java + method: "encrypt(String)" + line: 328 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/ha-bridge/misuses/2/correct-usages/CreateSecurePBEParameterSpec.java b/data/ha-bridge/misuses/2/correct-usages/CreateSecurePBEParameterSpec.java new file mode 100644 index 000000000..666340b47 --- /dev/null +++ b/data/ha-bridge/misuses/2/correct-usages/CreateSecurePBEParameterSpec.java @@ -0,0 +1,8 @@ +import javax.crypto.spec.PBEParameterSpec; + + +public class CreateSecurePBEParameterSpec { + public void pattern(byte[] salt) { + PBEParameterSpec pbeps = new PBEParameterSpec(salt, 15000); + } +} diff --git a/data/ha-bridge/misuses/2/misuse.yml b/data/ha-bridge/misuses/2/misuse.yml new file mode 100644 index 000000000..1a46bc247 --- /dev/null +++ b/data/ha-bridge/misuses/2/misuse.yml @@ -0,0 +1,17 @@ +api: +- javax.crypto.spec.PBEParameterSpec +violations: +- insecure/condition/iteration_count +description: | + The parameter iteration count for the constructor of PBEParameterSpec is 20 and should be greater than 10000. + More details are available in the following CrySL rule . +location: + file: com/bwssystems/HABridge/BridgeSecurity.java + method: "encrypt(String)" + line: 331 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/ha-bridge/misuses/3/correct-usages/ConstructPBEParameterSpecWithRandomizedSalt.java b/data/ha-bridge/misuses/3/correct-usages/ConstructPBEParameterSpecWithRandomizedSalt.java new file mode 100644 index 000000000..4f88802ed --- /dev/null +++ b/data/ha-bridge/misuses/3/correct-usages/ConstructPBEParameterSpecWithRandomizedSalt.java @@ -0,0 +1,12 @@ +import javax.crypto.spec.PBEParameterSpec; +import java.security.SecureRandom; + + +public class ConstructPBEParameterSpecWithRandomizedSalt{ + public void pattern(int iterationCount) { + SecureRandom salt = new SecureRandom(); + byte bytes[] = new byte[100]; + salt.nextBytes(bytes); + PBEParameterSpec pbkps = new PBEParameterSpec(bytes, iterationCount); + } +} diff --git a/data/ha-bridge/misuses/3/misuse.yml b/data/ha-bridge/misuses/3/misuse.yml new file mode 100644 index 000000000..11df93923 --- /dev/null +++ b/data/ha-bridge/misuses/3/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.spec.PBEParameterSpec +violations: +- insecure/condition/randomization +description: > + Salt is not properly randomized while creating PBEParameterSpec object. +location: + file: com/bwssystems/HABridge/BridgeSecurity.java + method: "encrypt(String)" + line: 331 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/ha-bridge/misuses/4/correct-usages/ConstructPBEKeySpec.java b/data/ha-bridge/misuses/4/correct-usages/ConstructPBEKeySpec.java new file mode 100644 index 000000000..7497d09d5 --- /dev/null +++ b/data/ha-bridge/misuses/4/correct-usages/ConstructPBEKeySpec.java @@ -0,0 +1,7 @@ +import javax.crypto.spec.PBEKeySpec; + +public class ConstructPBEKeySpec{ + public void pattern(char[] password,byte[] salt,int iterationCount,int keylength ) { + PBEKeySpec pbeks = new PBEKeySpec(password, salt, iterationCount, keylength); + } +} diff --git a/data/ha-bridge/misuses/4/misuse.yml b/data/ha-bridge/misuses/4/misuse.yml new file mode 100644 index 000000000..cfb04bc66 --- /dev/null +++ b/data/ha-bridge/misuses/4/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.spec.PBEKeySpec +violations: +- missing/condition/iteration_count +description: > + PBEKeySpec(char[]) constructor is forbidden from being used as per CrySL rules, the constructor used should be PBEKeySpec(pw, salt, it, keylength); +location: + file: com/bwssystems/HABridge/BridgeSecurity.java + method: "encrypt(String)" + line: 329 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/ha-bridge/misuses/5/correct-usages/ConstructSecretKeyFactory.java b/data/ha-bridge/misuses/5/correct-usages/ConstructSecretKeyFactory.java new file mode 100644 index 000000000..d35147538 --- /dev/null +++ b/data/ha-bridge/misuses/5/correct-usages/ConstructSecretKeyFactory.java @@ -0,0 +1,9 @@ +import javax.crypto.SecretKeyFactory; +import java.security.NoSuchAlgorithmException; + +public class ConstructSecretKeyFactory{ + public void pattern() throws NoSuchAlgorithmException { + SecretKeyFactory skf = SecretKeyFactory.getInstance("PBEWithHmacSHA512AndAES_128"); + } + +} diff --git a/data/ha-bridge/misuses/5/misuse.yml b/data/ha-bridge/misuses/5/misuse.yml new file mode 100644 index 000000000..4163f0b33 --- /dev/null +++ b/data/ha-bridge/misuses/5/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.SecretKeyFactory +violations: +- insecure/condition/transformation +description: > + cipherALG in SecretKeyFactory.getInstance(String) should be AES with key length between (128, 192, 256) instead of given PBEWithMD5AndDES. +location: + file: com/bwssystems/HABridge/BridgeSecurity.java + method: "decrypt(String)" + line: 340 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/ha-bridge/misuses/6/correct-usages/ConstructPBEKeySpec.java b/data/ha-bridge/misuses/6/correct-usages/ConstructPBEKeySpec.java new file mode 100644 index 000000000..139764b78 --- /dev/null +++ b/data/ha-bridge/misuses/6/correct-usages/ConstructPBEKeySpec.java @@ -0,0 +1,7 @@ +import javax.crypto.spec.PBEKeySpec; + +public class ConstructPBEKeySpec{ + public void pattern(char[] password,byte[] salt, int iterationCount, int keylength){ + PBEKeySpec pbeks = new PBEKeySpec(password, salt, iterationCount, keylength); + } +} diff --git a/data/ha-bridge/misuses/6/misuse.yml b/data/ha-bridge/misuses/6/misuse.yml new file mode 100644 index 000000000..3d8051d70 --- /dev/null +++ b/data/ha-bridge/misuses/6/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.spec.PBEKeySpec +violations: +- missing/condition/iteration_count +description: > + PBEKeySpec(char[]) constructor is forbidden from being used as per CrySL rules, the constructor used should be PBEKeySpec(pw, salt, it, keylength); +location: + file: com/bwssystems/HABridge/BridgeSecurity.java + method: "decrypt(String)" + line: 341 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/ha-bridge/misuses/7/correct-usages/CreateSecurePBEParameterSpec.java b/data/ha-bridge/misuses/7/correct-usages/CreateSecurePBEParameterSpec.java new file mode 100644 index 000000000..666340b47 --- /dev/null +++ b/data/ha-bridge/misuses/7/correct-usages/CreateSecurePBEParameterSpec.java @@ -0,0 +1,8 @@ +import javax.crypto.spec.PBEParameterSpec; + + +public class CreateSecurePBEParameterSpec { + public void pattern(byte[] salt) { + PBEParameterSpec pbeps = new PBEParameterSpec(salt, 15000); + } +} diff --git a/data/ha-bridge/misuses/7/misuse.yml b/data/ha-bridge/misuses/7/misuse.yml new file mode 100644 index 000000000..28a7195de --- /dev/null +++ b/data/ha-bridge/misuses/7/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.spec.PBEParameterSpec +violations: +- insecure/condition/iteration_count +description: > + The parameter iteration count for the constructor of PBEParameterSpec is 20 and should be greater than 10000. +location: + file: com/bwssystems/HABridge/BridgeSecurity.java + method: "decrypt(String)" + line: 343 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/ha-bridge/misuses/8/correct-usages/ConstructPBEParameterSpecWithRandomizedSalt.java b/data/ha-bridge/misuses/8/correct-usages/ConstructPBEParameterSpecWithRandomizedSalt.java new file mode 100644 index 000000000..4f88802ed --- /dev/null +++ b/data/ha-bridge/misuses/8/correct-usages/ConstructPBEParameterSpecWithRandomizedSalt.java @@ -0,0 +1,12 @@ +import javax.crypto.spec.PBEParameterSpec; +import java.security.SecureRandom; + + +public class ConstructPBEParameterSpecWithRandomizedSalt{ + public void pattern(int iterationCount) { + SecureRandom salt = new SecureRandom(); + byte bytes[] = new byte[100]; + salt.nextBytes(bytes); + PBEParameterSpec pbkps = new PBEParameterSpec(bytes, iterationCount); + } +} diff --git a/data/ha-bridge/misuses/8/misuse.yml b/data/ha-bridge/misuses/8/misuse.yml new file mode 100644 index 000000000..e9666c259 --- /dev/null +++ b/data/ha-bridge/misuses/8/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.spec.PBEParameterSpec +violations: +- insecure/condition/randomization +description: > + Salt is not properly randomized while creating PBEParameterSpec object. +location: + file: com/bwssystems/HABridge/BridgeSecurity.java + method: "decrypt(String)" + line: 343 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/ha-bridge/project.yml b/data/ha-bridge/project.yml new file mode 100644 index 000000000..bc59445e6 --- /dev/null +++ b/data/ha-bridge/project.yml @@ -0,0 +1,5 @@ +name: ha-bridge +repository: + type: git + url: https://github.com/bwssytems/ha-bridge +url: https://github.com/bwssytems/ha-bridge \ No newline at end of file diff --git a/data/ha-bridge/versions/c25f08f/version.yml b/data/ha-bridge/versions/c25f08f/version.yml new file mode 100644 index 000000000..62f3f1430 --- /dev/null +++ b/data/ha-bridge/versions/c25f08f/version.yml @@ -0,0 +1,15 @@ +build: + classes: $mvn.default.classes + commands: + - mvn clean compile + src: /src/main/java/ +misuses: +- '1' +- '2' +- '3' +- '4' +- '5' +- '6' +- '7' +- '8' +revision: c25f08f142a0f30d470d8c6f7335792aca9db9c0 diff --git a/data/hsweb-framework/misuses/1/misuse.yml b/data/hsweb-framework/misuses/1/misuse.yml new file mode 100644 index 000000000..3b35344ff --- /dev/null +++ b/data/hsweb-framework/misuses/1/misuse.yml @@ -0,0 +1,15 @@ +api: +- javax.crypto.spec.SecretKeySpec +violations: +- insecure/condition/randomization +description: > + While creating the SecretKeySpec object, the first parameter was not properly randomized. +location: + file: org/hswebframework/web/authorization/jwt/JwtConfig.java + method: "generalKey()" + line: 47 +internal: false +pattern: +crash: false +source: + name: diff --git a/data/hsweb-framework/project.yml b/data/hsweb-framework/project.yml new file mode 100644 index 000000000..e1a5d5096 --- /dev/null +++ b/data/hsweb-framework/project.yml @@ -0,0 +1,5 @@ +name: hsweb-framework +repository: + type: git + url: https://github.com/hs-web/hsweb-framework +url: https://github.com/hs-web/hsweb-framework \ No newline at end of file diff --git a/data/hsweb-framework/versions/7bc7090/version.yml b/data/hsweb-framework/versions/7bc7090/version.yml new file mode 100644 index 000000000..7366618bf --- /dev/null +++ b/data/hsweb-framework/versions/7bc7090/version.yml @@ -0,0 +1,8 @@ +build: + classes: hsweb-authorization/hsweb-authorization-jwt/$mvn.default.classes + commands: + - mvn compile + src: hsweb-authorization/hsweb-authorization-jwt/src/main/java/ +misuses: +- '1' +revision: 7bc7090e29b61531320c5576edd4af5fe50f5070 diff --git a/data/ijpay/misuses/1/misuse.yml b/data/ijpay/misuses/1/misuse.yml new file mode 100644 index 000000000..8a962fcca --- /dev/null +++ b/data/ijpay/misuses/1/misuse.yml @@ -0,0 +1,15 @@ +api: +- java.security.MessageDigest +violations: +- insecure/condition/transformation +description: > + First parameter in MessageDigest.getInstance(String) is with value "SHA-1" should be any of {SHA-256, SHA-384, SHA-512} +location: + file: com/jpay/unionpay/SecureUtil.java + method: "sha1(byte[])" + line: 167 +internal: false +pattern: +crash: false +source: + name: diff --git a/data/ijpay/misuses/2/misuse.yml b/data/ijpay/misuses/2/misuse.yml new file mode 100644 index 000000000..2bad2d7b5 --- /dev/null +++ b/data/ijpay/misuses/2/misuse.yml @@ -0,0 +1,15 @@ +api: +- java.security.Signature +violations: +- insecure/condition/key +description: > + First parameter in initVerify(publicKey) is not a properly generatedPubkey +location: + file: com/jpay/unionpay/SecureUtil.java + method: "validateSignBySoft(PublicKey, byte[], byte[])" + line: 302 +internal: false +pattern: +crash: false +source: + name: diff --git a/data/ijpay/misuses/3/misuse.yml b/data/ijpay/misuses/3/misuse.yml new file mode 100644 index 000000000..acb3ce747 --- /dev/null +++ b/data/ijpay/misuses/3/misuse.yml @@ -0,0 +1,16 @@ +api: +- java.security.Signature +violations: +- insecure/condition/transformation +description: > + First parameter in Signature.getInstance(String,String) is with value "SHA1withRSA" should be any of {NONEwithDSA, SHA1withDSA, SHA224withDSA, SHA256withDSA, SHA256withRSA, SHA256withECDSA} +location: + file: com/jpay/unionpay/SecureUtil.java + method: "validateSignBySoft(PublicKey, byte[], byte[])" + line: 301 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/ijpay/misuses/4/misuse.yml b/data/ijpay/misuses/4/misuse.yml new file mode 100644 index 000000000..eaf34cad8 --- /dev/null +++ b/data/ijpay/misuses/4/misuse.yml @@ -0,0 +1,16 @@ +api: +- java.security.Signature +violations: +- insecure/condition/key +description: > + First parameter in Signature.initSign(PrivateKey) is not a properly generatedPrivkey +location: + file: com/jpay/unionpay/SecureUtil.java + method: "signBySoft(PrivateKey, byte[])" + line: 277 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/ijpay/misuses/5/misuse.yml b/data/ijpay/misuses/5/misuse.yml new file mode 100644 index 000000000..bd7ac27ed --- /dev/null +++ b/data/ijpay/misuses/5/misuse.yml @@ -0,0 +1,16 @@ +api: +- java.security.Signature +violations: +- insecure/condition/transformation +description: > + First parameter in Signature.getInstance(String,String) is with value "SHA1withRSA" should be any of {NONEwithDSA, SHA1withDSA, SHA224withDSA, SHA256withDSA, SHA256withRSA, SHA256withECDSA} +location: + file: com/jpay/unionpay/SecureUtil.java + method: "signBySoft(PrivateKey, byte[])" + line: 276 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/ijpay/misuses/6/misuse.yml b/data/ijpay/misuses/6/misuse.yml new file mode 100644 index 000000000..12139e55f --- /dev/null +++ b/data/ijpay/misuses/6/misuse.yml @@ -0,0 +1,16 @@ +api: +- java.security.Signature +violations: +- insecure/condition/key +description: > + First parameter in Signature.initVerify(publicKey) is not a properly generatedPubkey +location: + file: com/jpay/unionpay/SecureUtil.java + method: "validateSignBySoft256(PublicKey, byte[], byte[])" + line: 310 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/ijpay/misuses/7/misuse.yml b/data/ijpay/misuses/7/misuse.yml new file mode 100644 index 000000000..57f46e8fa --- /dev/null +++ b/data/ijpay/misuses/7/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/key +description: > + Second parameter in cipher.init(int, Key) is not properly generatedKey +location: + file: com/jpay/unionpay/SecureUtil.java + method: "decryptData(PrivateKey, byte[])" + line: 441 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/ijpay/misuses/8/misuse.yml b/data/ijpay/misuses/8/misuse.yml new file mode 100644 index 000000000..348ca488f --- /dev/null +++ b/data/ijpay/misuses/8/misuse.yml @@ -0,0 +1,16 @@ +api: +- java.security.Signature +violations: +- insecure/condition/key +description: > + First parameter in Signature.initSign(PrivateKey) is not a properly generatedPrivkey +location: + file: com/jpay/unionpay/SecureUtil.java + method: "signBySoft256(PrivateKey, byte[])" + line: 293 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/ijpay/project.yml b/data/ijpay/project.yml new file mode 100644 index 000000000..0b05b416b --- /dev/null +++ b/data/ijpay/project.yml @@ -0,0 +1,5 @@ +name: IJPay +repository: + type: git + url: https://github.com/Javen205/IJPay +url: https://github.com/Javen205/IJPay \ No newline at end of file diff --git a/data/ijpay/versions/a372a7a/version.yml b/data/ijpay/versions/a372a7a/version.yml new file mode 100644 index 000000000..fbdeec666 --- /dev/null +++ b/data/ijpay/versions/a372a7a/version.yml @@ -0,0 +1,15 @@ +build: + classes: $mvn.default.classes + commands: + - mvn compile + src: src/main/java/ +misuses: +- '1' +- '2' +- '3' +- '4' +- '5' +- '6' +- '7' +- '8' +revision: a372a7af405bb60ef8e101f1f0ece03e9d25081e diff --git a/data/instagram4j/misuses/1/correct-usages/ConstructSecretKeySpec.java b/data/instagram4j/misuses/1/correct-usages/ConstructSecretKeySpec.java new file mode 100644 index 000000000..648567b50 --- /dev/null +++ b/data/instagram4j/misuses/1/correct-usages/ConstructSecretKeySpec.java @@ -0,0 +1,17 @@ +import javax.crypto.spec.SecretKeySpec; +import javax.crypto.SecretKeyFactory; +import javax.crypto.SecretKey; +import javax.crypto.spec.PBEKeySpec; +import java.security.NoSuchAlgorithmException; +import java.security.spec.InvalidKeySpecException; + +public class ConstructSecretKeySpec { + public void pattern(char[] password,byte[] salt,int iterationCount,int keylength,java.lang.String algorithm) throws NoSuchAlgorithmException, InvalidKeySpecException{ + SecretKeyFactory skf = SecretKeyFactory.getInstance("PBEWithHmacSHA512AndAES_128"); + PBEKeySpec pbeks = new PBEKeySpec(password, salt, iterationCount, keylength); + SecretKey key = skf.generateSecret(pbeks); + byte keyMaterial[] = key.getEncoded(); + SecretKeySpec sks = new SecretKeySpec(keyMaterial, algorithm); + } +} + diff --git a/data/instagram4j/misuses/1/misuse.yml b/data/instagram4j/misuses/1/misuse.yml new file mode 100644 index 000000000..12ffa7a06 --- /dev/null +++ b/data/instagram4j/misuses/1/misuse.yml @@ -0,0 +1,15 @@ +api: +- javax.crypto.spec.SecretKeySpec +violations: +- insecure/condition/randomization +description: > + The first parameter in SecretKeySpec is a not properly generated key. +location: + file: org/brunocvcunha/instagram4j/util/InstagramHashUtil.java + method: "generateHash(String, String)" + line: 128 +internal: false +pattern: +crash: false +source: + name: diff --git a/data/instagram4j/project.yml b/data/instagram4j/project.yml new file mode 100644 index 000000000..c4015fa91 --- /dev/null +++ b/data/instagram4j/project.yml @@ -0,0 +1,5 @@ +name: instagram4j +repository: + type: git + url: https://github.com/brunocvcunha/instagram4j +url: https://github.com/brunocvcunha/instagram4j \ No newline at end of file diff --git a/data/instagram4j/versions/ae85b2b/version.yml b/data/instagram4j/versions/ae85b2b/version.yml new file mode 100644 index 000000000..0da98ddda --- /dev/null +++ b/data/instagram4j/versions/ae85b2b/version.yml @@ -0,0 +1,8 @@ +build: + classes: $mvn.default.classes + commands: + - mvn compile + src: src/main/java/ +misuses: +- '1' +revision: ae85b2b123b0e8dc4ca4b9ac77a981e210e0e8c7 diff --git a/data/j360-dubbo-app-all/misuses/1/misuse.yml b/data/j360-dubbo-app-all/misuses/1/misuse.yml new file mode 100644 index 000000000..69a06e943 --- /dev/null +++ b/data/j360-dubbo-app-all/misuses/1/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/transformation +description: > + First parameter in Cipher.getInstance(String) is with value "AES" which should be any of AES/{CBC, GCM, PCBC, CTR, CTS, CFB, OFB}. +location: + file: me/j360/dubbo/modules/util/security/CryptoUtil.java + method: "aes(byte[], byte[], int)" + line: 140 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/j360-dubbo-app-all/misuses/2/misuse.yml b/data/j360-dubbo-app-all/misuses/2/misuse.yml new file mode 100644 index 000000000..61c9daef3 --- /dev/null +++ b/data/j360-dubbo-app-all/misuses/2/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.spec.SecretKeySpec +violations: +- insecure/condition/randomization +description: > + First parameter while initializing the SecretKeySpec object was not properly randomized. +location: + file: me/j360/dubbo/modules/util/security/CryptoUtil.java + method: "aes(byte[], byte[], int)" + line: 139 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/j360-dubbo-app-all/misuses/3/misuse.yml b/data/j360-dubbo-app-all/misuses/3/misuse.yml new file mode 100644 index 000000000..bbd584704 --- /dev/null +++ b/data/j360-dubbo-app-all/misuses/3/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/transformation +description: > + First parameter in Cipher.getInstance(String) is with value "AES/CBC/PKCS5PADDING" which should be any of AES/CBC/{Empty String, PKCS7Padding, PKCS5Padding, ISO10126Padding}. +location: + file: me/j360/dubbo/modules/util/security/CryptoUtil.java + method: "aes(byte[], byte[], byte[], int)" + line: 160 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/j360-dubbo-app-all/misuses/4/misuse.yml b/data/j360-dubbo-app-all/misuses/4/misuse.yml new file mode 100644 index 000000000..d0bdc6bc4 --- /dev/null +++ b/data/j360-dubbo-app-all/misuses/4/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.spec.IvParameterSpec +violations: +- insecure/condition/randomization +description: > + First parameter while initializing the IvParameterSpec object was not properly randomized +location: + file: me/j360/dubbo/modules/util/security/CryptoUtil.java + method: "aes(byte[], byte[], byte[], int)" + line: 159 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/j360-dubbo-app-all/misuses/5/misuse.yml b/data/j360-dubbo-app-all/misuses/5/misuse.yml new file mode 100644 index 000000000..9f04f67a2 --- /dev/null +++ b/data/j360-dubbo-app-all/misuses/5/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.spec.SecretKeySpec +violations: +- insecure/condition/randomization +description: > + First parameter while initializing the SecretKeySpec object was not properly randomized +location: + file: me/j360/dubbo/modules/util/security/CryptoUtil.java + method: "aes(byte[], byte[], byte[], int)" + line: 158 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/j360-dubbo-app-all/project.yml b/data/j360-dubbo-app-all/project.yml new file mode 100644 index 000000000..478d5ecad --- /dev/null +++ b/data/j360-dubbo-app-all/project.yml @@ -0,0 +1,5 @@ +name: j360-dubbo-app-all +repository: + type: git + url: https://github.com/xuminwlt/j360-dubbo-app-all +url: https://github.com/xuminwlt/j360-dubbo-app-all \ No newline at end of file diff --git a/data/j360-dubbo-app-all/versions/fc32b0b/version.yml b/data/j360-dubbo-app-all/versions/fc32b0b/version.yml new file mode 100644 index 000000000..d65ec4876 --- /dev/null +++ b/data/j360-dubbo-app-all/versions/fc32b0b/version.yml @@ -0,0 +1,12 @@ +build: + classes: j360-dubbo-modules/$mvn.default.classes + commands: + - mvn clean compile + src: j360-dubbo-modules/src/main/java/ +misuses: +- '1' +- '2' +- '3' +- '4' +- '5' +revision: fc32b0b074177a30d558ae8f0714ae4c05a7e47f diff --git a/data/java-telegram-bot-api/misuses/1/misuse.yml b/data/java-telegram-bot-api/misuses/1/misuse.yml new file mode 100644 index 000000000..54b36ca7b --- /dev/null +++ b/data/java-telegram-bot-api/misuses/1/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/transformation +description: > + First parameter (with value "RSA/ECB/OAEPWithSHA-1AndMGF1Padding") should be any of RSA/ECB/{Empty String, PKCS1Padding, OAEPWithMD5AndMGF1Padding, OAEPWithSHA-224AndMGF1Padding, OAEPWithSHA-256AndMGF1Padding, OAEPWithSHA-384AndMGF1Padding, OAEPWithSHA-512AndMGF1Padding} +location: + file: com/pengrad/telegrambot/passport/decrypt/RsaOaep.java + method: "decrypt(String, byte[])" + line: 29 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/java-telegram-bot-api/project.yml b/data/java-telegram-bot-api/project.yml new file mode 100644 index 000000000..6387e5694 --- /dev/null +++ b/data/java-telegram-bot-api/project.yml @@ -0,0 +1,5 @@ +name: java-telegram-bot-api +repository: + type: git + url: https://github.com/pengrad/java-telegram-bot-api +url: https://github.com/pengrad/java-telegram-bot-api \ No newline at end of file diff --git a/data/java-telegram-bot-api/versions/04fbbbb/version.yml b/data/java-telegram-bot-api/versions/04fbbbb/version.yml new file mode 100644 index 000000000..8e9464b70 --- /dev/null +++ b/data/java-telegram-bot-api/versions/04fbbbb/version.yml @@ -0,0 +1,8 @@ +build: + classes: java-telegram-bot-api/library/$gradle.default.classes + commands: + - gradle compileJava + src: java-telegram-bot-api/library/src/main/java +misuses: +- '1' +revision: 04fbbbb2255ec1e37753f8f448fa5cfd2c7f6a6a diff --git a/data/jeesuite-libs/misuses/1/correct-usages/ConstructIvParameterSpec.java b/data/jeesuite-libs/misuses/1/correct-usages/ConstructIvParameterSpec.java new file mode 100644 index 000000000..2567b490d --- /dev/null +++ b/data/jeesuite-libs/misuses/1/correct-usages/ConstructIvParameterSpec.java @@ -0,0 +1,11 @@ +import javax.crypto.spec.IvParameterSpec; +import java.security.SecureRandom; + +public class ConstructIvParameterSpec { + public void pattern() { + SecureRandom iv = new SecureRandom(); + byte bytes[] = new byte[100]; + iv.nextBytes(bytes); + IvParameterSpec ips = new IvParameterSpec(bytes); + } +} diff --git a/data/jeesuite-libs/misuses/1/misuse.yml b/data/jeesuite-libs/misuses/1/misuse.yml new file mode 100644 index 000000000..d8ec5ce2d --- /dev/null +++ b/data/jeesuite-libs/misuses/1/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.spec.IvParameterSpec +violations: +- insecure/condition/randomization +description: > + First parameter while initializing the IvParameterSpec object was not properly randomized +location: + file: com/jeesuite/common/crypt/DES.java + method: "encrypt(String, String)" + line: 37 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/jeesuite-libs/misuses/2/correct-usages/ConstructCipher.java b/data/jeesuite-libs/misuses/2/correct-usages/ConstructCipher.java new file mode 100644 index 000000000..f38f52938 --- /dev/null +++ b/data/jeesuite-libs/misuses/2/correct-usages/ConstructCipher.java @@ -0,0 +1,9 @@ +import javax.crypto.Cipher; +import javax.crypto.NoSuchPaddingException; +import java.security.NoSuchAlgorithmException; + +public class ConstructCipher { + public void pattern() throws NoSuchPaddingException, NoSuchAlgorithmException { + Cipher c = Cipher.getInstance("PBEWithHmacSHA224AndAES_128"); + } +} diff --git a/data/jeesuite-libs/misuses/2/misuse.yml b/data/jeesuite-libs/misuses/2/misuse.yml new file mode 100644 index 000000000..d1dca441d --- /dev/null +++ b/data/jeesuite-libs/misuses/2/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/transformation +description: > + First parameter in Cipher.getInstance(String) is with value "DES/CBC/PKCS5Padding" which should be any of {AES, Blowfish, DESede, PBEWithHmacSHA224AndAES_128, PBEWithHmacSHA256AndAES_128, PBEWithHmacSHA384AndAES_128, PBEWithHmacSHA512AndAES_128, PBEWithHmacSHA224AndAES_256, PBEWithHmacSHA256AndAES_256, PBEWithHmacSHA384AndAES_256, PBEWithHmacSHA512AndAES_256, RSA}. +location: + file: com/jeesuite/common/crypt/DES.java + method: "encrypt(String, String)" + line: 36 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/jeesuite-libs/misuses/3/correct-usages/ConstrucCipher.java b/data/jeesuite-libs/misuses/3/correct-usages/ConstrucCipher.java new file mode 100644 index 000000000..66dd705bb --- /dev/null +++ b/data/jeesuite-libs/misuses/3/correct-usages/ConstrucCipher.java @@ -0,0 +1,14 @@ +import javax.crypto.Cipher; +import java.security.SecureRandom; +import java.security.NoSuchAlgorithmException; +import java.security.InvalidKeyException; +import java.security.NoSuchAlgorithmException; +import javax.crypto.NoSuchPaddingException; + +public class ConstrucCipher { + public void pattern(java.security.Key key) throws NoSuchAlgorithmException, InvalidKeyException, NoSuchAlgorithmException, NoSuchPaddingException { + Cipher c = Cipher.getInstance("PBEWithHmacSHA224AndAES_128"); + SecureRandom random = new SecureRandom(); + c.init(Cipher.ENCRYPT_MODE, key, random); + } +} diff --git a/data/jeesuite-libs/misuses/3/misuse.yml b/data/jeesuite-libs/misuses/3/misuse.yml new file mode 100644 index 000000000..ea3ed1641 --- /dev/null +++ b/data/jeesuite-libs/misuses/3/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/IV +description: > + Third parameter while initializing the Cipher object was not properly preparedIV. +location: + file: com/jeesuite/common/crypt/DES.java + method: "encrypt(String, String)" + line: 38 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/jeesuite-libs/misuses/4/correct-usages/ConstructIvParameterSpec.java b/data/jeesuite-libs/misuses/4/correct-usages/ConstructIvParameterSpec.java new file mode 100644 index 000000000..148c6c34f --- /dev/null +++ b/data/jeesuite-libs/misuses/4/correct-usages/ConstructIvParameterSpec.java @@ -0,0 +1,12 @@ +import javax.crypto.spec.IvParameterSpec; +import java.security.SecureRandom; +import java.security.NoSuchAlgorithmException; + +public class ConstructIvParameterSpec { + public void pattern() throws NoSuchAlgorithmException{ + SecureRandom iv = new SecureRandom(); + byte bytes[] = new byte[100]; + iv.nextBytes(bytes); + IvParameterSpec ips = new IvParameterSpec(bytes); + } +} diff --git a/data/jeesuite-libs/misuses/4/misuse.yml b/data/jeesuite-libs/misuses/4/misuse.yml new file mode 100644 index 000000000..5a285ac81 --- /dev/null +++ b/data/jeesuite-libs/misuses/4/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.spec.IvParameterSpec +violations: +- insecure/condition/randomization +description: > + First parameter while initializing the IvParameterSpec object was not properly randomized +location: + file: com/jeesuite/common/crypt/DES.java + method: "decrypt(String, String)" + line: 64 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/jeesuite-libs/misuses/5/correct-usages/ConstructCipher.java b/data/jeesuite-libs/misuses/5/correct-usages/ConstructCipher.java new file mode 100644 index 000000000..224e08b28 --- /dev/null +++ b/data/jeesuite-libs/misuses/5/correct-usages/ConstructCipher.java @@ -0,0 +1,9 @@ +import javax.crypto.Cipher; +import javax.crypto.NoSuchPaddingException; +import java.security.NoSuchAlgorithmException; + +public class ConstructCipher { + public void pattern() throws NoSuchPaddingException, NoSuchAlgorithmException { + Cipher c = Cipher.getInstance("PBEWithHmacSHA224AndAES_128"); + } +} diff --git a/data/jeesuite-libs/misuses/5/misuse.yml b/data/jeesuite-libs/misuses/5/misuse.yml new file mode 100644 index 000000000..87d2acfbc --- /dev/null +++ b/data/jeesuite-libs/misuses/5/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/transformation +description: > + First parameter in Cipher.getInstance(String) is with value "DES/CBC/PKCS5Padding" which should be any of {AES, Blowfish, DESede, PBEWithHmacSHA224AndAES_128, PBEWithHmacSHA256AndAES_128, PBEWithHmacSHA384AndAES_128, PBEWithHmacSHA512AndAES_128, PBEWithHmacSHA224AndAES_256, PBEWithHmacSHA256AndAES_256, PBEWithHmacSHA384AndAES_256, PBEWithHmacSHA512AndAES_256, RSA}. +location: + file: com/jeesuite/common/crypt/DES.java + method: "decrypt(String, String)" + line: 63 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/jeesuite-libs/misuses/6/correct-usages/ConstructCipher.java b/data/jeesuite-libs/misuses/6/correct-usages/ConstructCipher.java new file mode 100644 index 000000000..6b43f21e4 --- /dev/null +++ b/data/jeesuite-libs/misuses/6/correct-usages/ConstructCipher.java @@ -0,0 +1,9 @@ +import javax.crypto.Cipher; +import javax.crypto.NoSuchPaddingException; +import java.security.NoSuchAlgorithmException;; + +public class ConstructCipher { + public void pattern() throws NoSuchPaddingException, NoSuchAlgorithmException { + Cipher c = Cipher.getInstance("PBEWithHmacSHA224AndAES_128"); + } +} diff --git a/data/jeesuite-libs/misuses/6/misuse.yml b/data/jeesuite-libs/misuses/6/misuse.yml new file mode 100644 index 000000000..c9b43b1af --- /dev/null +++ b/data/jeesuite-libs/misuses/6/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/transformation +description: > + First parameter in Cipher.getInstance(String) is with value "AES" which should be any of AES/{CBC, GCM, PCBC, CTR, CTS, CFB, OFB}. +location: + file: com/jeesuite/common/crypt/AES.java + method: "decrypt(byte[], byte[])" + line: 54 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/jeesuite-libs/misuses/7/correct-usages/ConstructCipher.java b/data/jeesuite-libs/misuses/7/correct-usages/ConstructCipher.java new file mode 100644 index 000000000..97507b239 --- /dev/null +++ b/data/jeesuite-libs/misuses/7/correct-usages/ConstructCipher.java @@ -0,0 +1,10 @@ +import javax.crypto.Cipher; +import javax.crypto.NoSuchPaddingException; +import java.security.NoSuchAlgorithmException; + + +public class ConstructCipher { + public void pattern() throws NoSuchPaddingException, NoSuchAlgorithmException { + Cipher c = Cipher.getInstance("PBEWithHmacSHA224AndAES_128"); + } +} diff --git a/data/jeesuite-libs/misuses/7/misuse.yml b/data/jeesuite-libs/misuses/7/misuse.yml new file mode 100644 index 000000000..bd52022a6 --- /dev/null +++ b/data/jeesuite-libs/misuses/7/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/transformation +description: > + First parameter in Cipher.getInstance(String) is with value "AES" which should be any of AES/{CBC, GCM, PCBC, CTR, CTS, CFB, OFB}. +location: + file: com/jeesuite/common/crypt/AES.java + method: "encrypt(byte[], byte[])" + line: 39 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/jeesuite-libs/misuses/8/correct-usages/ConstructMessageDigest.java b/data/jeesuite-libs/misuses/8/correct-usages/ConstructMessageDigest.java new file mode 100644 index 000000000..f423a394a --- /dev/null +++ b/data/jeesuite-libs/misuses/8/correct-usages/ConstructMessageDigest.java @@ -0,0 +1,8 @@ +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; + +public class ConstructMessageDigest{ + public void pattern() throws NoSuchAlgorithmException{ + MessageDigest md = MessageDigest.getInstance("SHA-512"); + } +} diff --git a/data/jeesuite-libs/misuses/8/misuse.yml b/data/jeesuite-libs/misuses/8/misuse.yml new file mode 100644 index 000000000..38b71dc57 --- /dev/null +++ b/data/jeesuite-libs/misuses/8/misuse.yml @@ -0,0 +1,16 @@ +api: +- java.security.MessageDigest +violations: +- insecure/condition/transformation +description: > + First parameter in MessageDigest.getInstance(String) is with value "SHA-1" which should be any of {SHA-256, SHA-384, SHA-512}. +location: + file: com/jeesuite/common/crypt/SHA1.java + method: "getSHA1(String, String, String, String)" + line: 40 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/jeesuite-libs/misuses/9/correct-usages/ConstructMessageDigest.java b/data/jeesuite-libs/misuses/9/correct-usages/ConstructMessageDigest.java new file mode 100644 index 000000000..4b7db545f --- /dev/null +++ b/data/jeesuite-libs/misuses/9/correct-usages/ConstructMessageDigest.java @@ -0,0 +1,8 @@ +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; + +public class ConstructMessageDigest{ + public void pattern() throws NoSuchAlgorithmException { + MessageDigest md = MessageDigest.getInstance("SHA-512"); + } +} diff --git a/data/jeesuite-libs/misuses/9/misuse.yml b/data/jeesuite-libs/misuses/9/misuse.yml new file mode 100644 index 000000000..f28dc4b27 --- /dev/null +++ b/data/jeesuite-libs/misuses/9/misuse.yml @@ -0,0 +1,16 @@ +api: +- java.security.MessageDigest +violations: +- insecure/condition/transformation +description: > + First parameter in MessageDigest.getInstance(String) is with value "MD5" which should be any of {SHA-256, SHA-384, SHA-512}. +location: + file: com/jeesuite/common/util/DigestUtils.java + method: "md5(Object)" + line: 37 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/jeesuite-libs/project.yml b/data/jeesuite-libs/project.yml new file mode 100644 index 000000000..b06b54d32 --- /dev/null +++ b/data/jeesuite-libs/project.yml @@ -0,0 +1,5 @@ +name: jeesuite-libs +repository: + type: git + url: https://github.com/vakinge/jeesuite-libs +url: https://github.com/vakinge/jeesuite-libs \ No newline at end of file diff --git a/data/jeesuite-libs/versions/2a545bd/version.yml b/data/jeesuite-libs/versions/2a545bd/version.yml new file mode 100644 index 000000000..1fc6eb082 --- /dev/null +++ b/data/jeesuite-libs/versions/2a545bd/version.yml @@ -0,0 +1,16 @@ +build: + classes: jeesuite-common/$mvn.default.classes + commands: + - mvn clean compile + src: jeesuite-common/src/main/java/ +misuses: +- '1' +- '2' +- '3' +- '4' +- '5' +- '6' +- '7' +- '8' +- '9' +revision: 2a545bd645c6ba2f145ddad35a8256fd248c8bae diff --git a/data/jigsaw/versions/205/version.yml b/data/jigsaw/versions/205/version.yml index c74eb972e..68231270d 100644 --- a/data/jigsaw/versions/205/version.yml +++ b/data/jigsaw/versions/205/version.yml @@ -1,5 +1,5 @@ build: - classes: Jigsaw/target/classes + classes: Jigsaw/$mvn.default.classes commands: - mkdir classes - sed -i '13iimport org.w3c.www.http.HttpCookie;' Jigsaw/src/classes/org/w3c/www/protocol/http/cookies/CookieFilter.java diff --git a/data/job-x/misuses/1/misuse.yml b/data/job-x/misuses/1/misuse.yml new file mode 100644 index 000000000..6d3722ad7 --- /dev/null +++ b/data/job-x/misuses/1/misuse.yml @@ -0,0 +1,15 @@ +api: +- java.security.Signature +violations: +- insecure/condition/transformation +description: > + First parameter in Signature.getInstance(String) is with value "MD5withRSA" which should be any of {NONEwithDSA, SHA1withDSA, SHA224withDSA, SHA256withDSA, SHA256withRSA, SHA256withECDSA} +location: + file: com/jobxhub/common/util/RSAUtils.java + method: "verify(byte[], String, String)" + line: 139 +internal: false +pattern: +crash: false +source: + name: diff --git a/data/job-x/misuses/10/misuse.yml b/data/job-x/misuses/10/misuse.yml new file mode 100644 index 000000000..8e33dba7c --- /dev/null +++ b/data/job-x/misuses/10/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/key +description: > + Second parameter in cipher.init(int, SecretKeySpec) was not properly generatedKey +location: + file: com/jobxhub/common/util/DigestUtils.java + method: "aesEncrypt(String, String)" + line: 514 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/job-x/misuses/11/misuse.yml b/data/job-x/misuses/11/misuse.yml new file mode 100644 index 000000000..5b8064395 --- /dev/null +++ b/data/job-x/misuses/11/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/transformation +description: > + First parameter in Cipher.getInstance(String) is with value "DES" which should be any of {AES, Blowfish, DESede, PBEWithHmacSHA224AndAES_128, PBEWithHmacSHA256AndAES_128, PBEWithHmacSHA384AndAES_128, PBEWithHmacSHA512AndAES_128, PBEWithHmacSHA224AndAES_256, PBEWithHmacSHA256AndAES_256, PBEWithHmacSHA384AndAES_256, PBEWithHmacSHA512AndAES_256, RSA} +location: + file: com/jobxhub/common/util/DigestUtils.java + method: "desDecrypt(byte[], byte[])" + line: 461 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/job-x/misuses/12/misuse.yml b/data/job-x/misuses/12/misuse.yml new file mode 100644 index 000000000..cbb5d3b96 --- /dev/null +++ b/data/job-x/misuses/12/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/key +description: > + Second parameter in cipher.init(int, SecretKey, SecureRandom) was not properly generatedKey +location: + file: com/jobxhub/common/util/DigestUtils.java + method: "desDecrypt(byte[], byte[])" + line: 464 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/job-x/misuses/13/misuse.yml b/data/job-x/misuses/13/misuse.yml new file mode 100644 index 000000000..3c2d12ca6 --- /dev/null +++ b/data/job-x/misuses/13/misuse.yml @@ -0,0 +1,16 @@ +api: +- java.security.MessageDigest +violations: +- insecure/condition/transformation +description: > + First parameter in MessageDigest.getInstance(String) is with value "SHA-1" which should be any of {SHA-256, SHA-384, SHA-512} +location: + file: com/jobxhub/common/util/DigestUtils.java + method: "sha1(String)" + line: 147 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/job-x/misuses/14/misuse.yml b/data/job-x/misuses/14/misuse.yml new file mode 100644 index 000000000..f582270b1 --- /dev/null +++ b/data/job-x/misuses/14/misuse.yml @@ -0,0 +1,16 @@ +api: +- java.security.MessageDigest +violations: +- insecure/condition/transformation +description: > + First parameter in MessageDigest.getInstance(String) is with value "MD5" which should be any of {SHA-256, SHA-384, SHA-512} +location: + file: com/jobxhub/common/io/Bytes.java + method: "getMessageDigest()" + line: 877 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/job-x/misuses/2/misuse.yml b/data/job-x/misuses/2/misuse.yml new file mode 100644 index 000000000..e40578adf --- /dev/null +++ b/data/job-x/misuses/2/misuse.yml @@ -0,0 +1,16 @@ +api: +- java.security.Signature +violations: +- insecure/condition/transformation +description: > + First parameter in Signature.getInstance(String) is with value "MD5withRSA" which should be any of {NONEwithDSA, SHA1withDSA, SHA224withDSA, SHA256withDSA, SHA256withRSA, SHA256withECDSA} +location: + file: com/jobxhub/common/util/RSAUtils.java + method: "sign(byte[], String)" + line: 117 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/job-x/misuses/3/misuse.yml b/data/job-x/misuses/3/misuse.yml new file mode 100644 index 000000000..aeae6b068 --- /dev/null +++ b/data/job-x/misuses/3/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/transformation +description: > + First parameter in Cipher.getInstance(String) is with value "DES" which should be any of {AES, Blowfish, DESede, PBEWithHmacSHA224AndAES_128, PBEWithHmacSHA256AndAES_128, PBEWithHmacSHA384AndAES_128, PBEWithHmacSHA512AndAES_128, PBEWithHmacSHA224AndAES_256, PBEWithHmacSHA256AndAES_256, PBEWithHmacSHA384AndAES_256, PBEWithHmacSHA512AndAES_256, RSA} +location: + file: com/jobxhub/common/util/DigestUtils.java + method: "desEncrypt(byte[], byte[])" + line: 401 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/job-x/misuses/4/misuse.yml b/data/job-x/misuses/4/misuse.yml new file mode 100644 index 000000000..a01d1aa1d --- /dev/null +++ b/data/job-x/misuses/4/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/key +description: > + Second parameter in cipher.init(int,SecretKey,SecureRandom) was not properly generatedKey +location: + file: com/jobxhub/common/util/DigestUtils.java + method: "desEncrypt(byte[], byte[])" + line: 404 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/job-x/misuses/5/misuse.yml b/data/job-x/misuses/5/misuse.yml new file mode 100644 index 000000000..464e996b1 --- /dev/null +++ b/data/job-x/misuses/5/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/key +description: > + Second parameter in cipher.init(int, SecretKeySpec) was not properly generatedKey +location: + file: com/jobxhub/common/util/DigestUtils.java + method: "aesDecrypt(String, String)" + line: 482 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/job-x/misuses/6/misuse.yml b/data/job-x/misuses/6/misuse.yml new file mode 100644 index 000000000..6a5c77beb --- /dev/null +++ b/data/job-x/misuses/6/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.spec.SecretKeySpec +violations: +- insecure/condition/randomization +description: > + First parameter in while creating SecretKeySpec object i.e. SecretKeySpec(byte[], String) was not properly randomized +location: + file: com/jobxhub/common/util/DigestUtils.java + method: "aesDecrypt(String, String)" + line: 480 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/job-x/misuses/7/misuse.yml b/data/job-x/misuses/7/misuse.yml new file mode 100644 index 000000000..649f48de9 --- /dev/null +++ b/data/job-x/misuses/7/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/transformation +description: > + First parameter in Cipher.getInstance(String) is with value "AES" which should be any of AES/{CBC, GCM, PCBC, CTR, CTS, CFB, OFB} +location: + file: com/jobxhub/common/util/DigestUtils.java + method: "aesDecrypt(String, String)" + line: 481 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/job-x/misuses/8/misuse.yml b/data/job-x/misuses/8/misuse.yml new file mode 100644 index 000000000..b7e3cb711 --- /dev/null +++ b/data/job-x/misuses/8/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.spec.SecretKeySpec +violations: +- insecure/condition/randomization +description: > + First parameter while creating the SecretKeySpec object i.e. SecretKeySpec(byte[],String) was not properly randomized +location: + file: com/jobxhub/common/util/DigestUtils.java + method: "aesEncrypt(String, String)" + line: 512 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/job-x/misuses/9/misuse.yml b/data/job-x/misuses/9/misuse.yml new file mode 100644 index 000000000..2b4ed6942 --- /dev/null +++ b/data/job-x/misuses/9/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/transformation +description: > + First parameter in Cipher.getInstance(String) is with value "AES" which should be any of AES/{CBC, GCM, PCBC, CTR, CTS, CFB, OFB} +location: + file: com/jobxhub/common/util/DigestUtils.java + method: "aesEncrypt(String, String)" + line: 513 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/job-x/project.yml b/data/job-x/project.yml new file mode 100644 index 000000000..14bc334d7 --- /dev/null +++ b/data/job-x/project.yml @@ -0,0 +1,5 @@ +name: job-x +repository: + type: git + url: https://github.com/jobxhub/JobX +url: https://github.com/jobxhub/JobX \ No newline at end of file diff --git a/data/job-x/versions/414503f/version.yml b/data/job-x/versions/414503f/version.yml new file mode 100644 index 000000000..e5967462b --- /dev/null +++ b/data/job-x/versions/414503f/version.yml @@ -0,0 +1,21 @@ +build: + classes: jobx-common/$mvn.default.classes + commands: + - mvn clean compile + src: jobx-common/src/main/java/ +misuses: +- '1' +- '2' +- '3' +- '4' +- '5' +- '6' +- '7' +- '8' +- '9' +- '10' +- '11' +- '12' +- '13' +- '14' +revision: 414503ffa4938e09ece04d4b6cbf85a5fe19ad67 diff --git a/data/lucene-solr/misuses/1/misuse.yml b/data/lucene-solr/misuses/1/misuse.yml new file mode 100644 index 000000000..ac7c613fa --- /dev/null +++ b/data/lucene-solr/misuses/1/misuse.yml @@ -0,0 +1,16 @@ +api: +- java.security.Signature +violations: +- insecure/condition/transformation +description: > + First parameter in Signature.getInstance(String) is with value "SHA1withRSA" which should be any of ("NONEwithDSA", "SHA1withDSA", "SHA224withDSA", "SHA256withDSA", "SHA256withRSA", "SHA256withECDSA"). +location: + file: org/apache/solr/util/CryptoKeys.java + method: "verify(PublicKey, byte[], ByteBuffer)" + line: 110 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/lucene-solr/misuses/2/misuse.yml b/data/lucene-solr/misuses/2/misuse.yml new file mode 100644 index 000000000..4c7b48d4f --- /dev/null +++ b/data/lucene-solr/misuses/2/misuse.yml @@ -0,0 +1,16 @@ +api: +- java.security.MessageDigest +violations: +- insecure/condition/transformation +description: > + First parameter in MessageDigest.getInstance(String) is with value "MD5" which should be any of ("SHA-256", "SHA-384", "SHA-512"). +location: + file: org/apache/solr/util/CryptoKeys.java + method: "decodeAES(String, String, int)" + line: 226 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/lucene-solr/misuses/3/misuse.yml b/data/lucene-solr/misuses/3/misuse.yml new file mode 100644 index 000000000..5424f2d76 --- /dev/null +++ b/data/lucene-solr/misuses/3/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/transformation +description: > + First parameter in Cipher.getInstance(String) is with value "RSA/ECB/nopadding" which should be any of "RSA" with (emptyString, "ECB"). +location: + file: org/apache/solr/util/CryptoKeys.java + method: "decryptRSA(byte[], PublicKey)" + line: 273 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/lucene-solr/misuses/4/misuse.yml b/data/lucene-solr/misuses/4/misuse.yml new file mode 100644 index 000000000..67925c283 --- /dev/null +++ b/data/lucene-solr/misuses/4/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/transformation +description: > + First parameter in Cipher.getInstance(String) is with value "RSA/ECB/nopadding" which should be any of "RSA" with (emptyString, "ECB"). +location: + file: org/apache/solr/util/CryptoKeys.java + method: "encrypt(ByteBuffer)" + line: 321 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/lucene-solr/project.yml b/data/lucene-solr/project.yml new file mode 100644 index 000000000..398e3f8ab --- /dev/null +++ b/data/lucene-solr/project.yml @@ -0,0 +1,5 @@ +name: lucene-solr +repository: + type: git + url: https://github.com/apache/lucene-solr +url: https://github.com/apache/lucene-solr \ No newline at end of file diff --git a/data/lucene-solr/versions/928b92c/version.yml b/data/lucene-solr/versions/928b92c/version.yml new file mode 100644 index 000000000..31671999e --- /dev/null +++ b/data/lucene-solr/versions/928b92c/version.yml @@ -0,0 +1,12 @@ +build: + classes: solr/build/solr-core/classes/java + commands: + - ant ivy-bootstrap + - ant compile + src: solr/core/src/java/ +misuses: +- '1' +- '2' +- '3' +- '4' +revision: 928b92caa0bcbff2288b5bf2ab602ec04ff88a78 \ No newline at end of file diff --git a/data/minecraft-launcher/versions/e62d1bb/version.yml b/data/minecraft-launcher/versions/e62d1bb/version.yml index 35f8aa09f..1891e323a 100644 --- a/data/minecraft-launcher/versions/e62d1bb/version.yml +++ b/data/minecraft-launcher/versions/e62d1bb/version.yml @@ -1,7 +1,7 @@ misuses: - '1' build: - classes: target/classes/ + classes: $mvn.default.classes commands: - mvn compile src: src/main/java/ diff --git a/data/mpush/misuses/1/misuse.yml b/data/mpush/misuses/1/misuse.yml new file mode 100644 index 000000000..b72c43700 --- /dev/null +++ b/data/mpush/misuses/1/misuse.yml @@ -0,0 +1,16 @@ +api: +- java.security.Signature +violations: +- insecure/condition/transformation +description: > + First parameter in Signature.getInstance(String) is with value "MD5withRSA" which should be any of {NONEwithDSA, SHA1withDSA, SHA224withDSA, SHA256withDSA, SHA256withRSA, SHA256withECDSA} +location: + file: com/mpush/tools/crypto/RSAUtils.java + method: "sign(byte[], String)" + line: 150 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/mpush/misuses/2/misuse.yml b/data/mpush/misuses/2/misuse.yml new file mode 100644 index 000000000..eed367ccc --- /dev/null +++ b/data/mpush/misuses/2/misuse.yml @@ -0,0 +1,16 @@ +api: +- java.security.Signature +violations: +- insecure/condition/transformation +description: > + First parameter in Signature.getInstance(String)is with value "MD5withRSA" which should be any of {NONEwithDSA, SHA1withDSA, SHA224withDSA, SHA256withDSA, SHA256withRSA, SHA256withECDSA} +location: + file: com/mpush/tools/crypto/RSAUtils.java + method: "verify(byte[], String, String)" + line: 166 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/mpush/misuses/3/misuse.yml b/data/mpush/misuses/3/misuse.yml new file mode 100644 index 000000000..e1a108583 --- /dev/null +++ b/data/mpush/misuses/3/misuse.yml @@ -0,0 +1,16 @@ +api: +- java.security.MessageDigest +violations: +- insecure/condition/transformation +description: > + First parameter in MessageDigest.getInstance(String) is with value "MD5" which should be any of {SHA-256, SHA-384, SHA-512}. +location: + file: com/mpush/tools/crypto/MD5Utils.java + method: "encrypt(File)" + line: 42 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/mpush/misuses/4/misuse.yml b/data/mpush/misuses/4/misuse.yml new file mode 100644 index 000000000..76f1a7f5c --- /dev/null +++ b/data/mpush/misuses/4/misuse.yml @@ -0,0 +1,16 @@ +api: +- java.security.MessageDigest +violations: +- insecure/condition/transformation +description: > + First parameter in MessageDigest.getInstance(String) is with value "MD5" which should be any of {SHA-256, SHA-384, SHA-512}. +location: + file: com/mpush/tools/crypto/MD5Utils.java + method: "encrypt(String)" + line: 60 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/mpush/misuses/5/misuse.yml b/data/mpush/misuses/5/misuse.yml new file mode 100644 index 000000000..e3fe448f9 --- /dev/null +++ b/data/mpush/misuses/5/misuse.yml @@ -0,0 +1,16 @@ +api: +- java.security.MessageDigest +violations: +- insecure/condition/transformation +description: > + First parameter in MessageDigest.getInstance(String) is with value "SHA-1" which should be any of {SHA-256, SHA-384, SHA-512}. +location: + file: com/mpush/tools/crypto/MD5Utils.java + method: "sha1(String)" + line: 105 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/mpush/misuses/6/misuse.yml b/data/mpush/misuses/6/misuse.yml new file mode 100644 index 000000000..3ac6b6076 --- /dev/null +++ b/data/mpush/misuses/6/misuse.yml @@ -0,0 +1,16 @@ +api: +- java.security.MessageDigest +violations: +- insecure/condition/transformation +description: > + First parameter in MessageDigest.getInstance(String) is with value "MD5" which should be any of {SHA-256, SHA-384, SHA-512}. +location: + file: com/mpush/tools/crypto/MD5Utils.java + method: "encrypt(byte[])" + line: 70 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/mpush/misuses/7/misuse.yml b/data/mpush/misuses/7/misuse.yml new file mode 100644 index 000000000..0add210fa --- /dev/null +++ b/data/mpush/misuses/7/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.spec.SecretKeySpec +violations: +- insecure/condition/randomization +description: > + First parameter while initializing SecretKeySpec object was not properly randomized. +location: + file: com/mpush/tools/crypto/MD5Utils.java + method: "hmacSha1(String, String)" + line: 91 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/mpush/project.yml b/data/mpush/project.yml new file mode 100644 index 000000000..64d443571 --- /dev/null +++ b/data/mpush/project.yml @@ -0,0 +1,5 @@ +name: mpush +repository: + type: git + url: https://github.com/mpusher/mpush +url: https://github.com/mpusher/mpush \ No newline at end of file diff --git a/data/mpush/versions/f8d5c97/version.yml b/data/mpush/versions/f8d5c97/version.yml new file mode 100644 index 000000000..2f2f5cd30 --- /dev/null +++ b/data/mpush/versions/f8d5c97/version.yml @@ -0,0 +1,14 @@ +build: + classes: mpush-tools/$mvn.default.classes + commands: + - mvn compile + src: mpush-tools/src/main/java/ +misuses: +- '1' +- '2' +- '3' +- '4' +- '5' +- '6' +- '7' +revision: f8d5c97f30b2bde12f1b60d11709ae1b75587a2e diff --git a/data/my-blog/misuses/1/misuse.yml b/data/my-blog/misuses/1/misuse.yml new file mode 100644 index 000000000..c6649c39f --- /dev/null +++ b/data/my-blog/misuses/1/misuse.yml @@ -0,0 +1,15 @@ +api: +- javax.crypto.spec.SecretKeySpec +violations: +- insecure/condition/randomization +description: > + While creating the SecretKeySpec object, the first parameter was not properly randomized.. +location: + file: com/my/blog/website/utils/Tools.java + method: "enAes(String, String)" + line: 59 +internal: false +pattern: +crash: false +source: + name: diff --git a/data/my-blog/misuses/2/misuse.yml b/data/my-blog/misuses/2/misuse.yml new file mode 100644 index 000000000..07e10c00e --- /dev/null +++ b/data/my-blog/misuses/2/misuse.yml @@ -0,0 +1,15 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/transformation +description: > + First parameter in Cipher.getInstance(String) with value "AES" should be any of AES/{CBC, GCM, PCBC, CTR, CTS, CFB, OFB} +location: + file: com/my/blog/website/utils/Tools.java + method: "enAes(String, String)" + line: 58 +internal: false +pattern: +crash: false +source: + name: diff --git a/data/my-blog/misuses/3/misuse.yml b/data/my-blog/misuses/3/misuse.yml new file mode 100644 index 000000000..69f34ca38 --- /dev/null +++ b/data/my-blog/misuses/3/misuse.yml @@ -0,0 +1,15 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/key +description: > + Second parameter in cipher.init(int,java.security.Key) was not properly generatedKey +location: + file: com/my/blog/website/utils/Tools.java + method: "enAes(String, String)" + line: 60 +internal: false +pattern: +crash: false +source: + name: diff --git a/data/my-blog/misuses/4/misuse.yml b/data/my-blog/misuses/4/misuse.yml new file mode 100644 index 000000000..f70ade152 --- /dev/null +++ b/data/my-blog/misuses/4/misuse.yml @@ -0,0 +1,15 @@ +api: +- javax.crypto.spec.SecretKeySpec +violations: +- insecure/condition/randomization +description: > + While creating the SecretKeySpec object, the first parameter was not properly randomized. +location: + file: com/my/blog/website/utils/Tools.java + method: "deAes(String, String)" + line: 67 +internal: false +pattern: +crash: false +source: + name: diff --git a/data/my-blog/misuses/5/misuse.yml b/data/my-blog/misuses/5/misuse.yml new file mode 100644 index 000000000..2d5d0001a --- /dev/null +++ b/data/my-blog/misuses/5/misuse.yml @@ -0,0 +1,15 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/transformation +description: > + First parameter in Cipher.getInstance(String) with value "AES" should be any of AES/{CBC, GCM, PCBC, CTR, CTS, CFB, OFB} +location: + file: com/my/blog/website/utils/Tools.java + method: "deAes(String, String)" + line: 66 +internal: false +pattern: +crash: false +source: + name: diff --git a/data/my-blog/misuses/6/misuse.yml b/data/my-blog/misuses/6/misuse.yml new file mode 100644 index 000000000..369722f20 --- /dev/null +++ b/data/my-blog/misuses/6/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/key +description: > + Second parameter in cipher.init(int,java.security.Key) was not properly generatedKey +location: + file: com/my/blog/website/utils/Tools.java + method: "deAes(String, String)" + line: 68 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/my-blog/misuses/7/misuse.yml b/data/my-blog/misuses/7/misuse.yml new file mode 100644 index 000000000..ea4862d61 --- /dev/null +++ b/data/my-blog/misuses/7/misuse.yml @@ -0,0 +1,16 @@ +api: +- java.security.MessageDigest +violations: +- insecure/condition/transformation +description: > + First parameter in MessageDigest.getInstance(String) with value "MD5" should be any of {SHA-256, SHA-384, SHA-512} +location: + file: com/my/blog/website/utils/TaleUtils.java + method: "MD5encode(String)" + line: 106 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/my-blog/project.yml b/data/my-blog/project.yml new file mode 100644 index 000000000..85de26a97 --- /dev/null +++ b/data/my-blog/project.yml @@ -0,0 +1,5 @@ +name: my-blog +repository: + type: git + url: https://github.com/ZHENFENG13/My-Blog +url: https://github.com/ZHENFENG13/My-Blog \ No newline at end of file diff --git a/data/my-blog/versions/2da238a/version.yml b/data/my-blog/versions/2da238a/version.yml new file mode 100644 index 000000000..787295aca --- /dev/null +++ b/data/my-blog/versions/2da238a/version.yml @@ -0,0 +1,14 @@ +build: + classes: $mvn.default.classes + commands: + - mvn compile + src: src/main/java/ +misuses: +- '1' +- '2' +- '3' +- '4' +- '5' +- '6' +- '7' +revision: 2da238a175dfb5002bc595806e835a399fc9ee03 diff --git a/data/nettygameserver/misuses/1/correct-usages/ConstructPBEKeySpec.java b/data/nettygameserver/misuses/1/correct-usages/ConstructPBEKeySpec.java new file mode 100644 index 000000000..592f6d2fe --- /dev/null +++ b/data/nettygameserver/misuses/1/correct-usages/ConstructPBEKeySpec.java @@ -0,0 +1,7 @@ +import javax.crypto.spec.PBEKeySpec; + +public class ConstructPBEKeySpec{ + public void pattern(char[] password, byte[] salt, int keylength) { + PBEKeySpec pks = new PBEKeySpec(password, salt, 15000, keylength); + } +} diff --git a/data/nettygameserver/misuses/1/misuse.yml b/data/nettygameserver/misuses/1/misuse.yml new file mode 100644 index 000000000..beac77d56 --- /dev/null +++ b/data/nettygameserver/misuses/1/misuse.yml @@ -0,0 +1,15 @@ +api: +- javax.crypto.spec.PBEKeySpec +violations: +- insecure/condition/iteration_count +description: > + The third parameter of PBEKeySpec(passPhrase.toCharArray(), byte[], int) is the Iteration count with 17 value which should be greater than 10000 +location: + file: com/snowcattle/game/common/util/DesEncrypter.java + method: "DesEncrypter(String, byte[])" + line: 34 +internal: false +pattern: +crash: false +source: + name: diff --git a/data/nettygameserver/misuses/2/correct-usages/ConstructCipher.java b/data/nettygameserver/misuses/2/correct-usages/ConstructCipher.java new file mode 100644 index 000000000..f07c81b52 --- /dev/null +++ b/data/nettygameserver/misuses/2/correct-usages/ConstructCipher.java @@ -0,0 +1,9 @@ +import javax.crypto.Cipher; +import java.security.NoSuchAlgorithmException; +import javax.crypto.NoSuchPaddingException; + +public class ConstructCipher { + public void pattern() throws NoSuchAlgorithmException, NoSuchPaddingException { + Cipher c = Cipher.getInstance("PBEWithHmacSHA224AndAES_128"); + } +} diff --git a/data/nettygameserver/misuses/2/misuse.yml b/data/nettygameserver/misuses/2/misuse.yml new file mode 100644 index 000000000..360d93e01 --- /dev/null +++ b/data/nettygameserver/misuses/2/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/transformation +description: > + First parameter in Cipher.getInstance(String) with value "AES" should be any of AES/{CBC, GCM, PCBC, CTR, CTS, CFB, OFB} +location: + file: com/snowcattle/game/common/util/AES.java + method: "encrypt(byte[], String)" + line: 30 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/nettygameserver/misuses/3/correct-usages/ConstructCipher.java b/data/nettygameserver/misuses/3/correct-usages/ConstructCipher.java new file mode 100644 index 000000000..f07c81b52 --- /dev/null +++ b/data/nettygameserver/misuses/3/correct-usages/ConstructCipher.java @@ -0,0 +1,9 @@ +import javax.crypto.Cipher; +import java.security.NoSuchAlgorithmException; +import javax.crypto.NoSuchPaddingException; + +public class ConstructCipher { + public void pattern() throws NoSuchAlgorithmException, NoSuchPaddingException { + Cipher c = Cipher.getInstance("PBEWithHmacSHA224AndAES_128"); + } +} diff --git a/data/nettygameserver/misuses/3/misuse.yml b/data/nettygameserver/misuses/3/misuse.yml new file mode 100644 index 000000000..1bd46c7d6 --- /dev/null +++ b/data/nettygameserver/misuses/3/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/transformation +description: > + First parameter in Cipher.getInstance(String) with value "AES" should be any of AES/{CBC, GCM, PCBC, CTR, CTS, CFB, OFB} +location: + file: com/snowcattle/game/common/util/AES.java + method: "decrypt(byte[], String)" + line: 44 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/nettygameserver/misuses/4/correct-usages/ConstructMessageDigest.java b/data/nettygameserver/misuses/4/correct-usages/ConstructMessageDigest.java new file mode 100644 index 000000000..f95777c59 --- /dev/null +++ b/data/nettygameserver/misuses/4/correct-usages/ConstructMessageDigest.java @@ -0,0 +1,9 @@ +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import javax.crypto.NoSuchPaddingException; + +public class ConstructMessageDigest{ + public void pattern() throws NoSuchAlgorithmException, NosuchPaddingException{ + MessageDigest md = MessageDigest.getInstance("SHA-512"); + } +} diff --git a/data/nettygameserver/misuses/4/misuse.yml b/data/nettygameserver/misuses/4/misuse.yml new file mode 100644 index 000000000..bd61c9e17 --- /dev/null +++ b/data/nettygameserver/misuses/4/misuse.yml @@ -0,0 +1,16 @@ +api: +- java.security.MessageDigest +violations: +- insecure/condition/transformation +description: > + First parameter in MessageDigest.getInstance(String) with value "MD5" should be any of {"SHA-256", "SHA-384", "SHA-512"}. +location: + file: com/snowcattle/game/common/util/MD5Util.java + method: "encodeByMD5(String)" + line: 47 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/nettygameserver/project.yml b/data/nettygameserver/project.yml new file mode 100644 index 000000000..abb373ec1 --- /dev/null +++ b/data/nettygameserver/project.yml @@ -0,0 +1,5 @@ +name: NettyGameServer +repository: + type: git + url: https://github.com/jwpttcg66/NettyGameServer +url: https://github.com/jwpttcg66/NettyGameServer \ No newline at end of file diff --git a/data/nettygameserver/versions/c069be1/version.yml b/data/nettygameserver/versions/c069be1/version.yml new file mode 100644 index 000000000..c996b6ce4 --- /dev/null +++ b/data/nettygameserver/versions/c069be1/version.yml @@ -0,0 +1,11 @@ +build: + classes: game-common/$mvn.default.classes + commands: + - mvn compile + src: game-common/src/main/java/ +misuses: +- '1' +- '2' +- '3' +- '4' +revision: c069be1ff943da0562ad27caafe98dc88e4751f7 diff --git a/data/pig/misuses/1/misuse.yml b/data/pig/misuses/1/misuse.yml new file mode 100644 index 000000000..195348194 --- /dev/null +++ b/data/pig/misuses/1/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.spec.SecretKeySpec +violations: +- insecure/condition/randomization +description: > + First parameter while creating the SecretKeySpec object i.e. new SecretKeySpec(byte[],String) was not properly randomized +location: + file: com/github/pig/gateway/component/filter/DecodePasswordFilter.java + method: "decryptAES(String, String)" + line: 107 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/pig/misuses/2/misuse.yml b/data/pig/misuses/2/misuse.yml new file mode 100644 index 000000000..9e8bd33d1 --- /dev/null +++ b/data/pig/misuses/2/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/transformation +description: > + First parameter in Cipher.getInstance(String) is with value "AES/CBC/NOPadding" which should be any of AES/CBC/{Empty String, PKCS7Padding, PKCS5Padding, ISO10126Padding}. +location: + file: com/github/pig/gateway/component/filter/DecodePasswordFilter.java + method: "decryptAES(String, String)" + line: 106 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/pig/misuses/3/misuse.yml b/data/pig/misuses/3/misuse.yml new file mode 100644 index 000000000..a7c09ff92 --- /dev/null +++ b/data/pig/misuses/3/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.spec.IvParameterSpec +violations: +- insecure/condition/randomization +description: > + First parameter while creating IvParameterSpec object i.e. new IvParameterSpec(byte[]) was not properly randomized +location: + file: com/github/pig/gateway/component/filter/DecodePasswordFilter.java + method: "decryptAES(String, String)" + line: 108 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/pig/misuses/4/misuse.yml b/data/pig/misuses/4/misuse.yml new file mode 100644 index 000000000..d86f5b351 --- /dev/null +++ b/data/pig/misuses/4/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/key +description: > + Second parameter in cipher.init(int,SecretKeySpec,IvParameterSpec) was not properly generatedKey +location: + file: com/github/pig/gateway/component/filter/DecodePasswordFilter.java + method: "decryptAES(String, String)" + line: 109 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/pig/project.yml b/data/pig/project.yml new file mode 100644 index 000000000..b0cd99f9d --- /dev/null +++ b/data/pig/project.yml @@ -0,0 +1,5 @@ +name: pig +repository: + type: git + url: https://github.com/pig4cloud/pig +url: https://github.com/pig4cloud/pig \ No newline at end of file diff --git a/data/pig/versions/579bc2c/version.yml b/data/pig/versions/579bc2c/version.yml new file mode 100644 index 000000000..c28ead360 --- /dev/null +++ b/data/pig/versions/579bc2c/version.yml @@ -0,0 +1,11 @@ +build: + classes: pig-gateway/$mvn.default.classes + commands: + - mvn compile + src: pig-gateway/src/main/java/ +misuses: +- '1' +- '2' +- '3' +- '4' +revision: 579bc2c0c6db1cfa687e66051f11ca64d0a3578e diff --git a/data/protools/misuses/1/misuse.yml b/data/protools/misuses/1/misuse.yml new file mode 100644 index 000000000..c29ded204 --- /dev/null +++ b/data/protools/misuses/1/misuse.yml @@ -0,0 +1,15 @@ +api: +- javax.crypto.spec.PBEParameterSpec +violations: +- insecure/condition/iteration_count +description: > + While creating the PBEParameterSpec object i.e. new PBEParameterSpec(byte[], int), second parameter (iteration count) value is 512 which should be greater than 1000. +location: + file: pro/tools/security/ToolPBE.java + method: "encrypt(byte[], String, byte[])" + line: 115 +internal: false +pattern: +crash: false +source: + name: diff --git a/data/protools/misuses/2/misuse.yml b/data/protools/misuses/2/misuse.yml new file mode 100644 index 000000000..dc4815857 --- /dev/null +++ b/data/protools/misuses/2/misuse.yml @@ -0,0 +1,15 @@ +api: +- javax.crypto.spec.PBEParameterSpec +violations: +- insecure/condition/iteration_count +description: > + While creating the PBEParameterSpec object i.e. new PBEParameterSpec(byte[], int), second parameter (iteration count) value is 100 which should be greater than 1000. +location: + file: pro/tools/security/ToolPBE.java + method: "decrypt(byte[], String, byte[])" + line: 147 +internal: false +pattern: +crash: false +source: + name: diff --git a/data/protools/misuses/3/misuse.yml b/data/protools/misuses/3/misuse.yml new file mode 100644 index 000000000..7ab5069f7 --- /dev/null +++ b/data/protools/misuses/3/misuse.yml @@ -0,0 +1,15 @@ +api: +- javax.crypto.SecretKeyFactory +violations: +- insecure/condition/transformation +description: > + First parameter in SecretKeyFactory.getInstance(String) with value "DESede" should be AES with key length between (128, 192, 256). +location: + file: pro/tools/security/ToolDESede.java + method: "toKey(byte[])" + line: 53 +internal: false +pattern: +crash: false +source: + name: diff --git a/data/protools/misuses/4/misuse.yml b/data/protools/misuses/4/misuse.yml new file mode 100644 index 000000000..d9385d347 --- /dev/null +++ b/data/protools/misuses/4/misuse.yml @@ -0,0 +1,15 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/transformation +description: > + First parameter in Cipher.getInstance(String) is with value "DESede/ECB/PKCS5Padding" where ECB should not be used with DESede +location: + file: pro/tools/security/ToolDESede.java + method: "decrypt(byte[], byte[])" + line: 81 +internal: false +pattern: +crash: false +source: + name: diff --git a/data/protools/misuses/5/misuse.yml b/data/protools/misuses/5/misuse.yml new file mode 100644 index 000000000..998207bbd --- /dev/null +++ b/data/protools/misuses/5/misuse.yml @@ -0,0 +1,15 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/transformation +description: > + First parameter in Cipher.getInstance(String) is with value "DESede/ECB/PKCS5Padding" where ECB should not be used with DESede +location: + file: pro/tools/security/ToolDESede.java + method: "encrypt(byte[], byte[])" + line: 110 +internal: false +pattern: +crash: false +source: + name: diff --git a/data/protools/misuses/6/misuse.yml b/data/protools/misuses/6/misuse.yml new file mode 100644 index 000000000..c9ad54bd0 --- /dev/null +++ b/data/protools/misuses/6/misuse.yml @@ -0,0 +1,15 @@ +api: +- javax.crypto.SecretKeyFactory +violations: +- insecure/condition/transformation +description: > + First parameter in SecretKeyFactory.getInstance(String) with value "DES" should be AES with key length between (128, 192, 256). +location: + file: pro/tools/security/ToolDES.java + method: "toKey(byte[])" + line: 56 +internal: false +pattern: +crash: false +source: + name: diff --git a/data/protools/misuses/7/misuse.yml b/data/protools/misuses/7/misuse.yml new file mode 100644 index 000000000..fba6a149c --- /dev/null +++ b/data/protools/misuses/7/misuse.yml @@ -0,0 +1,15 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/transformation +description: > + First parameter in Cipher.getInstance(String) is with value "DES/ECB/PKCS5Padding" where DES and ECB should not be used. +location: + file: pro/tools/security/ToolDES.java + method: "decrypt(byte[], byte[])" + line: 82 +internal: false +pattern: +crash: false +source: + name: diff --git a/data/protools/misuses/8/misuse.yml b/data/protools/misuses/8/misuse.yml new file mode 100644 index 000000000..75a4fd6f3 --- /dev/null +++ b/data/protools/misuses/8/misuse.yml @@ -0,0 +1,15 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/transformation +description: > + First parameter in Cipher.getInstance(String) is with value "DES/ECB/PKCS5Padding" where DES and ECB should not be used. +location: + file: pro/tools/security/ToolDES.java + method: "encrypt(byte[], byte[])" + line: 109 +internal: false +pattern: +crash: false +source: + name: diff --git a/data/protools/project.yml b/data/protools/project.yml new file mode 100644 index 000000000..73d8f78c9 --- /dev/null +++ b/data/protools/project.yml @@ -0,0 +1,5 @@ +name: protools +repository: + type: git + url: https://github.com/SeanDragon/protools +url: https://github.com/SeanDragon/protools \ No newline at end of file diff --git a/data/protools/versions/2ae1f34/version.yml b/data/protools/versions/2ae1f34/version.yml new file mode 100644 index 000000000..6750964c5 --- /dev/null +++ b/data/protools/versions/2ae1f34/version.yml @@ -0,0 +1,15 @@ +build: + classes: security/$mvn.default.classes + commands: + - mvn compile + src: security/src/main/java/ +misuses: +- '1' +- '2' +- '3' +- '4' +- '5' +- '6' +- '7' +- '8' +revision: 2ae1f34bfd95075f43319ed70505fcc9caafa29b diff --git a/data/public-cms/misuses/1/misuse.yml b/data/public-cms/misuses/1/misuse.yml new file mode 100644 index 000000000..eb64ef890 --- /dev/null +++ b/data/public-cms/misuses/1/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/transformation +description: > + First parameter in Cipher.getInstance(String) is with value "DESede" which should be any of DESede/{CBC, PCBC, CTR, CTS, CFB, OFB} +location: + file: publiccms-parent/publiccms-common/src/main/java/com/publiccms/common/tools/VerificationUtils.java + method: "decrypt(byte[],String)" + line: 309 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/public-cms/misuses/2/misuse.yml b/data/public-cms/misuses/2/misuse.yml new file mode 100644 index 000000000..bab7a3bf6 --- /dev/null +++ b/data/public-cms/misuses/2/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.SecretKeyFactory +violations: +- insecure/condition/transformation +description: > + cipherALG in SecretKeyFactory.getInstance(String) should be AES with key length between (128, 192, 256) instead of given DESede. +location: + file: publiccms-parent/publiccms-common/src/main/java/com/publiccms/common/tools/VerificationUtils.java + method: "decrypt(byte[],String)" + line: 307 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/public-cms/misuses/3/misuse.yml b/data/public-cms/misuses/3/misuse.yml new file mode 100644 index 000000000..cfe5d9f8a --- /dev/null +++ b/data/public-cms/misuses/3/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/key +description: > + Second parameter while initializing Cipher object was not properly generatedKey. +location: + file: publiccms-parent/publiccms-common/src/main/java/com/publiccms/common/tools/VerificationUtils.java + method: "decrypt(byte[],String)" + line: 310 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/public-cms/misuses/4/misuse.yml b/data/public-cms/misuses/4/misuse.yml new file mode 100644 index 000000000..73fba8046 --- /dev/null +++ b/data/public-cms/misuses/4/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.SecretKeyFactory +violations: +- insecure/condition/transformation +description: > + cipherALG in SecretKeyFactory.getInstance(String) should be AES with key length between (128, 192, 256) instead of given DESede. +location: + file: publiccms-parent/publiccms-common/src/main/java/com/publiccms/common/tools/VerificationUtils.java + method: "encrypt(String,String)" + line: 286 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/public-cms/misuses/5/misuse.yml b/data/public-cms/misuses/5/misuse.yml new file mode 100644 index 000000000..e1d6f3e1f --- /dev/null +++ b/data/public-cms/misuses/5/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/transformation +description: > + First parameter in Cipher.getInstance(String) is with value "DESede" which should be any of DESede/{CBC, PCBC, CTR, CTS, CFB, OFB} +location: + file: publiccms-parent/publiccms-common/src/main/java/com/publiccms/common/tools/VerificationUtils.java + method: "encrypt(String,String)" + line: 287 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/public-cms/misuses/6/misuse.yml b/data/public-cms/misuses/6/misuse.yml new file mode 100644 index 000000000..ece1898e6 --- /dev/null +++ b/data/public-cms/misuses/6/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/key +description: > + Second parameter while initializing Cipher object was not properly generatedKey. +location: + file: publiccms-parent/publiccms-common/src/main/java/com/publiccms/common/tools/VerificationUtils.java + method: "decrypt(byte[],String)" + line: 288 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/public-cms/misuses/7/misuse.yml b/data/public-cms/misuses/7/misuse.yml new file mode 100644 index 000000000..43ea835c1 --- /dev/null +++ b/data/public-cms/misuses/7/misuse.yml @@ -0,0 +1,16 @@ +api: +- java.security.Signature +violations: +- insecure/condition/transformation +description: > + First parameter in Signature.getInstance(String) is with value "MD5withRSA" which should be any of {NONEwithDSA, SHA1withDSA, SHA224withDSA, SHA256withDSA, SHA256withRSA, SHA256withECDSA} +location: + file: publiccms-parent/publiccms-common/src/main/java/com/publiccms/common/tools/VerificationUtils.java + method: "publicKeyVerify(byte[],byte[],byte[])" + line: 119 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/public-cms/misuses/8/misuse.yml b/data/public-cms/misuses/8/misuse.yml new file mode 100644 index 000000000..65543a23a --- /dev/null +++ b/data/public-cms/misuses/8/misuse.yml @@ -0,0 +1,16 @@ +api: +- java.security.Signature +violations: +- insecure/condition/transformation +description: > + First parameter in Signature.getInstance(String) is with value "MD5withRSA" which should be any of {NONEwithDSA, SHA1withDSA, SHA224withDSA, SHA256withDSA, SHA256withRSA, SHA256withECDSA} +location: + file: publiccms-parent/publiccms-common/src/main/java/com/publiccms/common/tools/VerificationUtils.java + method: "privateKeySign(byte[],byte[])" + line: 137 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/public-cms/misuses/9/misuse.yml b/data/public-cms/misuses/9/misuse.yml new file mode 100644 index 000000000..08373ae75 --- /dev/null +++ b/data/public-cms/misuses/9/misuse.yml @@ -0,0 +1,16 @@ +api: +- java.security.MessageDigest +violations: +- insecure/condition/transformation +description: > + First parameter in MessageDigest.getInstance(String) can have values {SHA-1 or MD5} when this function is called which should be any of {SHA-256, SHA-384, SHA-512} +location: + file: publiccms-parent/publiccms-common/src/main/java/com/publiccms/common/tools/VerificationUtils.java + method: "encode(String,String)" + line: 246 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/public-cms/project.yml b/data/public-cms/project.yml new file mode 100644 index 000000000..f593754d7 --- /dev/null +++ b/data/public-cms/project.yml @@ -0,0 +1,5 @@ +name: public-cms +repository: + type: git + url: https://github.com/sanluan/PublicCMS +url: https://github.com/sanluan/PublicCMS \ No newline at end of file diff --git a/data/public-cms/versions/f2c72f0/version.yml b/data/public-cms/versions/f2c72f0/version.yml new file mode 100644 index 000000000..62c15f5d5 --- /dev/null +++ b/data/public-cms/versions/f2c72f0/version.yml @@ -0,0 +1,16 @@ +build: + classes: publiccms-parent/publiccms-common/$mvn.default.classes + commands: + - cd publiccms-parent & mvn clean compile + src: publiccms-parent/publiccms-common/src +misuses: +- '1' +- '2' +- '3' +- '4' +- '5' +- '6' +- '7' +- '8' +- '9' +revision: f2c72f0bffe4d739172841dc0901f5883b71f77b diff --git a/data/saturn-console-api/misuses/1/misuse.yml b/data/saturn-console-api/misuses/1/misuse.yml new file mode 100644 index 000000000..9aa415e1e --- /dev/null +++ b/data/saturn-console-api/misuses/1/misuse.yml @@ -0,0 +1,16 @@ +api: +- java.security.MessageDigest +violations: +- insecure/condition/transformation +description: > + First parameter in MessageDigest.getInstance(String) is with value "MD5" should be any of {SHA-256, SHA-384, SHA-512}. +location: + file: com/vip/saturn/job/console/utils/MD5Utils.java + method: "getMD5Code(byte[])" + line: 27 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/saturn-console-api/project.yml b/data/saturn-console-api/project.yml new file mode 100644 index 000000000..eaee0be96 --- /dev/null +++ b/data/saturn-console-api/project.yml @@ -0,0 +1,5 @@ +name: saturn-console-api +repository: + type: git + url: https://github.com/vipshop/Saturn +url: https://github.com/vipshop/Saturn \ No newline at end of file diff --git a/data/saturn-console-api/versions/69bb353/version.yml b/data/saturn-console-api/versions/69bb353/version.yml new file mode 100644 index 000000000..acd5d1411 --- /dev/null +++ b/data/saturn-console-api/versions/69bb353/version.yml @@ -0,0 +1,8 @@ +build: + classes: saturn-console-api/$mvn.default.classes + commands: + - mvn clean compile + src: saturn-console-api/src/main/java/ +misuses: +- '1' +revision: 69bb353d31e63ddf16f5fcf501c4873332f4c370 diff --git a/data/saturn-console-core/misuses/1/misuse.yml b/data/saturn-console-core/misuses/1/misuse.yml new file mode 100644 index 000000000..c3e05ada5 --- /dev/null +++ b/data/saturn-console-core/misuses/1/misuse.yml @@ -0,0 +1,16 @@ +api: +- java.security.MessageDigest +violations: +- insecure/condition/transformation +description: > + First parameter in MessageDigest.getInstance(String) is with value "MD5" should be any of {SHA-256, SHA-384, SHA-512}. +location: + file: com/vip/saturn/job/console/utils/MD5Utils.java + method: "getMD5Code(byte[])" + line: 22 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/saturn-console-core/project.yml b/data/saturn-console-core/project.yml new file mode 100644 index 000000000..1c117947f --- /dev/null +++ b/data/saturn-console-core/project.yml @@ -0,0 +1,5 @@ +name: saturn-console-core +repository: + type: git + url: https://github.com/vipshop/Saturn +url: https://github.com/vipshop/Saturn \ No newline at end of file diff --git a/data/saturn-console-core/versions/69bb353/version.yml b/data/saturn-console-core/versions/69bb353/version.yml new file mode 100644 index 000000000..728a18568 --- /dev/null +++ b/data/saturn-console-core/versions/69bb353/version.yml @@ -0,0 +1,8 @@ +build: + classes: saturn-console-core/$mvn.default.classes + commands: + - mvn clean compile + src: saturn-console-core/src/main/java/ +misuses: +- '1' +revision: 69bb353d31e63ddf16f5fcf501c4873332f4c370 diff --git a/data/secure-tcp/versions/aeba19a/version.yml b/data/secure-tcp/versions/aeba19a/version.yml index 1fae984e0..308b0875f 100644 --- a/data/secure-tcp/versions/aeba19a/version.yml +++ b/data/secure-tcp/versions/aeba19a/version.yml @@ -1,7 +1,7 @@ misuses: - '1' build: - classes: target/classes/ + classes: $mvn.default.classes commands: - mvn compile src: src/main/java/ diff --git a/data/smart/misuses/1/correct-usages/ConstructSecretKeySpec.java b/data/smart/misuses/1/correct-usages/ConstructSecretKeySpec.java new file mode 100644 index 000000000..37891a105 --- /dev/null +++ b/data/smart/misuses/1/correct-usages/ConstructSecretKeySpec.java @@ -0,0 +1,16 @@ +import javax.crypto.spec.SecretKeySpec; +import javax.crypto.SecretKeyFactory; +import javax.crypto.SecretKey; +import javax.crypto.spec.PBEKeySpec; +import java.security.NoSuchAlgorithmException; + +public class ConstructSecretKeySpec { + public void pattern(char[] password,byte[] salt,int iterationCount,int keylength,java.lang.String algorithm) throws Exception { + SecretKeyFactory skf = SecretKeyFactory.getInstance("PBEWithHmacSHA512AndAES_128"); + PBEKeySpec pbeks = new PBEKeySpec(password, salt, iterationCount, keylength); + SecretKey key = skf.generateSecret(pbeks); + byte[] keyMaterial = key.getEncoded(); + SecretKeySpec sks = new SecretKeySpec(keyMaterial, algorithm); + } +} + diff --git a/data/smart/misuses/1/misuse.yml b/data/smart/misuses/1/misuse.yml new file mode 100644 index 000000000..79cca781d --- /dev/null +++ b/data/smart/misuses/1/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.spec.SecretKeySpec +violations: +- insecure/condition/randomization +description: > + First parameter while initializing the SecretKeySpec object was not properly randomized +location: + file: com/smart/sso/server/util/AESUtils.java + method: "encrypt(String, String)" + line: 27 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/smart/misuses/2/correct-usages/ConstructIvParameterSpec.java b/data/smart/misuses/2/correct-usages/ConstructIvParameterSpec.java new file mode 100644 index 000000000..2567b490d --- /dev/null +++ b/data/smart/misuses/2/correct-usages/ConstructIvParameterSpec.java @@ -0,0 +1,11 @@ +import javax.crypto.spec.IvParameterSpec; +import java.security.SecureRandom; + +public class ConstructIvParameterSpec { + public void pattern() { + SecureRandom iv = new SecureRandom(); + byte bytes[] = new byte[100]; + iv.nextBytes(bytes); + IvParameterSpec ips = new IvParameterSpec(bytes); + } +} diff --git a/data/smart/misuses/2/misuse.yml b/data/smart/misuses/2/misuse.yml new file mode 100644 index 000000000..6e8109585 --- /dev/null +++ b/data/smart/misuses/2/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.spec.IvParameterSpec +violations: +- insecure/condition/randomization +description: > + First parameter while initializing the IvParameterSpec object was not properly randomized +location: + file: com/smart/sso/server/util/AESUtils.java + method: "encrypt(String, String)" + line: 26 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/smart/misuses/3/correct-usages/ConstrucCipher.java b/data/smart/misuses/3/correct-usages/ConstrucCipher.java new file mode 100644 index 000000000..1e692d330 --- /dev/null +++ b/data/smart/misuses/3/correct-usages/ConstrucCipher.java @@ -0,0 +1,12 @@ +import javax.crypto.Cipher; +import java.security.SecureRandom; +import java.security.NoSuchAlgorithmException; +import java.security.InvalidKeyException; + +public class ConstrucCipher { + public void pattern(java.security.Key key) throws Exception { + Cipher c = Cipher.getInstance("PBEWithHmacSHA224AndAES_128"); + SecureRandom random = new SecureRandom(); + c.init(Cipher.ENCRYPT_MODE, key, random); + } +} diff --git a/data/smart/misuses/3/misuse.yml b/data/smart/misuses/3/misuse.yml new file mode 100644 index 000000000..4d1c81e11 --- /dev/null +++ b/data/smart/misuses/3/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/IV +description: > + Third parameter while initializing the Cipher object was not properly preparedIV. +location: + file: com/smart/sso/server/util/AESUtils.java + method: "encrypt(String, String)" + line: 30 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/smart/misuses/4/correct-usages/ConstrucCipher.java b/data/smart/misuses/4/correct-usages/ConstrucCipher.java new file mode 100644 index 000000000..8853d2b90 --- /dev/null +++ b/data/smart/misuses/4/correct-usages/ConstrucCipher.java @@ -0,0 +1,14 @@ +import javax.crypto.Cipher; +import javax.crypto.KeyGenerator; +import javax.crypto.SecretKey; +import java.security.SecureRandom; +import java.security.NoSuchAlgorithmException; + +public class ConstrucCipher { + public void pattern(SecureRandom random) throws Exception { + KeyGenerator kg = KeyGenerator.getInstance("AES128"); + SecretKey key = kg.generateKey(); + Cipher c = Cipher.getInstance("PBEWithHmacSHA224AndAES_128"); + c.init(Cipher.ENCRYPT_MODE, key, random); + } +} diff --git a/data/smart/misuses/4/misuse.yml b/data/smart/misuses/4/misuse.yml new file mode 100644 index 000000000..7b7b11cf2 --- /dev/null +++ b/data/smart/misuses/4/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/key +description: > + Second parameter while initializing the Cipher object was not properly generatedKey. +location: + file: com/smart/sso/server/util/AESUtils.java + method: "encrypt(String, String)" + line: 30 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/smart/misuses/5/correct-usages/ConstructIvParameterSpec.java b/data/smart/misuses/5/correct-usages/ConstructIvParameterSpec.java new file mode 100644 index 000000000..2567b490d --- /dev/null +++ b/data/smart/misuses/5/correct-usages/ConstructIvParameterSpec.java @@ -0,0 +1,11 @@ +import javax.crypto.spec.IvParameterSpec; +import java.security.SecureRandom; + +public class ConstructIvParameterSpec { + public void pattern() { + SecureRandom iv = new SecureRandom(); + byte bytes[] = new byte[100]; + iv.nextBytes(bytes); + IvParameterSpec ips = new IvParameterSpec(bytes); + } +} diff --git a/data/smart/misuses/5/misuse.yml b/data/smart/misuses/5/misuse.yml new file mode 100644 index 000000000..ba9cf6b67 --- /dev/null +++ b/data/smart/misuses/5/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.spec.IvParameterSpec +violations: +- insecure/condition/randomization +description: > + First parameter while initializing the IvParameterSpec object was not properly randomized. +location: + file: com/smart/sso/server/util/AESUtils.java + method: "decrypt(String, String)" + line: 49 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/smart/misuses/6/correct-usages/ConstructSecretKeySpec.java b/data/smart/misuses/6/correct-usages/ConstructSecretKeySpec.java new file mode 100644 index 000000000..5d5c572b3 --- /dev/null +++ b/data/smart/misuses/6/correct-usages/ConstructSecretKeySpec.java @@ -0,0 +1,16 @@ +import javax.crypto.spec.SecretKeySpec; +import javax.crypto.SecretKeyFactory; +import javax.crypto.spec.PBEKeySpec; +import javax.crypto.SecretKey; +import java.security.NoSuchAlgorithmException; +import java.security.spec.InvalidKeySpecException; + +public class ConstructSecretKeySpec { + public void pattern(char[] password,byte[] salt,int iterationCount,int keylength,java.lang.String algorithm) throws Exception{ + SecretKeyFactory skf = SecretKeyFactory.getInstance("PBEWithHmacSHA512AndAES_128"); + PBEKeySpec pbeks = new PBEKeySpec(password, salt, iterationCount, keylength); + SecretKey key = skf.generateSecret(pbeks); + byte[] keyMaterial = key.getEncoded(); + SecretKeySpec sks = new SecretKeySpec(keyMaterial, algorithm); + } +} diff --git a/data/smart/misuses/6/misuse.yml b/data/smart/misuses/6/misuse.yml new file mode 100644 index 000000000..06316d3aa --- /dev/null +++ b/data/smart/misuses/6/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.spec.SecretKeySpec +violations: +- insecure/condition/randomization +description: > + First parameter while initializing the SecretKeySpec object was not properly randomized. +location: + file: com/smart/sso/server/util/AESUtils.java + method: "decrypt(String, String)" + line: 50 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/smart/misuses/7/correct-usages/ConstructIvParameterSpec.java b/data/smart/misuses/7/correct-usages/ConstructIvParameterSpec.java new file mode 100644 index 000000000..2567b490d --- /dev/null +++ b/data/smart/misuses/7/correct-usages/ConstructIvParameterSpec.java @@ -0,0 +1,11 @@ +import javax.crypto.spec.IvParameterSpec; +import java.security.SecureRandom; + +public class ConstructIvParameterSpec { + public void pattern() { + SecureRandom iv = new SecureRandom(); + byte bytes[] = new byte[100]; + iv.nextBytes(bytes); + IvParameterSpec ips = new IvParameterSpec(bytes); + } +} diff --git a/data/smart/misuses/7/misuse.yml b/data/smart/misuses/7/misuse.yml new file mode 100644 index 000000000..8eb1b6c46 --- /dev/null +++ b/data/smart/misuses/7/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/key +description: > + Second parameter while initializing the Cipher object was not properly generatedKey. +location: + file: com/smart/sso/server/util/AESUtils.java + method: "decrypt(String, String)" + line: 53 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/smart/misuses/8/correct-usages/ConstructMessageDigest.java b/data/smart/misuses/8/correct-usages/ConstructMessageDigest.java new file mode 100644 index 000000000..d7a7ea147 --- /dev/null +++ b/data/smart/misuses/8/correct-usages/ConstructMessageDigest.java @@ -0,0 +1,8 @@ +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; + +public class ConstructMessageDigest { + public void pattern() throws Exception { + MessageDigest md = MessageDigest.getInstance("SHA-512"); + } +} diff --git a/data/smart/misuses/8/misuse.yml b/data/smart/misuses/8/misuse.yml new file mode 100644 index 000000000..fc33f4738 --- /dev/null +++ b/data/smart/misuses/8/misuse.yml @@ -0,0 +1,16 @@ +api: +- java.security.MessageDigest +violations: +- insecure/condition/transformation +description: > + First parameter in MessageDigest.getInstance(String) is with value "MD5" which should be any of {SHA-256, SHA-384, SHA-512}. +location: + file: com/smart/sso/server/provider/PasswordProvider.java + method: "md5(String)" + line: 42 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/smart/project.yml b/data/smart/project.yml new file mode 100644 index 000000000..c1ca0187c --- /dev/null +++ b/data/smart/project.yml @@ -0,0 +1,5 @@ +name: smart +repository: + type: git + url: https://github.com/a466350665/smart +url: https://github.com/a466350665/smart \ No newline at end of file diff --git a/data/smart/versions/9e018a6/version.yml b/data/smart/versions/9e018a6/version.yml new file mode 100644 index 000000000..2ad61f7b8 --- /dev/null +++ b/data/smart/versions/9e018a6/version.yml @@ -0,0 +1,15 @@ +build: + classes: smart-sso/smart-sso-server/$mvn.default.classes + commands: + - mvn clean compile + src: smart-sso/smart-sso-server/src/main/java/ +misuses: +- '1' +- '2' +- '3' +- '4' +- '5' +- '6' +- '7' +- '8' +revision: 9e018a6445a5ea1dcc7da98d5bf319d3c651486f diff --git a/data/spring-boot-quick/misuses/1/misuse.yml b/data/spring-boot-quick/misuses/1/misuse.yml new file mode 100644 index 000000000..f808ee737 --- /dev/null +++ b/data/spring-boot-quick/misuses/1/misuse.yml @@ -0,0 +1,15 @@ +api: +- java.security.MessageDigest +violations: +- insecure/condition/transformation +description: > + First parameter in MessageDigest.getInstance(string) is with value "MD5" which should be any of {SHA-256, SHA-384, SHA-512} +location: + file: com/quick/api/utils/MessageDigestUtil.java + method: "base64AndMD5(byte[])" + line: 45 +internal: false +pattern: +crash: false +source: + name: diff --git a/data/spring-boot-quick/misuses/2/misuse.yml b/data/spring-boot-quick/misuses/2/misuse.yml new file mode 100644 index 000000000..4349aed8c --- /dev/null +++ b/data/spring-boot-quick/misuses/2/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.spec.SecretKeySpec +violations: +- insecure/condition/randomization +description: > + First parameter of type SecretKeySpec in Mac.init(SecretKeySpec) was not properly randomized. +location: + file: com/quick/api/utils/SignUtil.java + method: "sign(String, String, String, Map, Map, Map, List)" + line: 47 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/spring-boot-quick/project.yml b/data/spring-boot-quick/project.yml new file mode 100644 index 000000000..fe687c7d5 --- /dev/null +++ b/data/spring-boot-quick/project.yml @@ -0,0 +1,5 @@ +name: spring-boot-quick +repository: + type: git + url: https://github.com/vector4wang/spring-boot-quick +url: https://github.com/vector4wang/spring-boot-quick \ No newline at end of file diff --git a/data/spring-boot-quick/versions/10c213e/version.yml b/data/spring-boot-quick/versions/10c213e/version.yml new file mode 100644 index 000000000..baf47362b --- /dev/null +++ b/data/spring-boot-quick/versions/10c213e/version.yml @@ -0,0 +1,9 @@ +build: + classes: quick-wx-api/$mvn.default.classes + commands: + - mvn compile + src: quick-wx-api/src/main/java/ +misuses: +- '1' +- '2' +revision: 10c213efa7e4a568d1ecefb7477d0d3d569c244e diff --git a/data/spring-boot-student/misuses/1/misuse.yml b/data/spring-boot-student/misuses/1/misuse.yml new file mode 100644 index 000000000..62430ba39 --- /dev/null +++ b/data/spring-boot-student/misuses/1/misuse.yml @@ -0,0 +1,15 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/transformation +description: > + First parameter in Cipher.getInstance(String) is with value "AES" which should be any of AES/{CBC, GCM, PCBC, CTR, CTS, CFB, OFB} +location: + file: com/xiaolyuh/utils/AESUtil.java + method: "decrypt(String, String)" + line: 100 +internal: false +pattern: +crash: false +source: + name: diff --git a/data/spring-boot-student/misuses/2/misuse.yml b/data/spring-boot-student/misuses/2/misuse.yml new file mode 100644 index 000000000..651bd834c --- /dev/null +++ b/data/spring-boot-student/misuses/2/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/transformation +description: > + First parameter in Cipher.getInstance(String) is with value "AES" which should be any of AES/{CBC, GCM, PCBC, CTR, CTS, CFB, OFB} +location: + file: com/xiaolyuh/utils/AESUtil.java + method: "decrypt(byte[], String)" + line: 75 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/spring-boot-student/misuses/3/misuse.yml b/data/spring-boot-student/misuses/3/misuse.yml new file mode 100644 index 000000000..2ddc4d23b --- /dev/null +++ b/data/spring-boot-student/misuses/3/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/transformation +description: > + First parameter in Cipher.getInstance(String) is with value "AES" which should be any of AES/{CBC, GCM, PCBC, CTR, CTS, CFB, OFB} +location: + file: com/xiaolyuh/utils/AESUtil.java + method: "encrypt(String, String)" + line: 18 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/spring-boot-student/misuses/4/misuse.yml b/data/spring-boot-student/misuses/4/misuse.yml new file mode 100644 index 000000000..c3dd57fec --- /dev/null +++ b/data/spring-boot-student/misuses/4/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/transformation +description: > + First parameter in Cipher.getInstance(String) is with value "AES" which should be any of AES/{CBC, GCM, PCBC, CTR, CTS, CFB, OFB} +location: + file: com/xiaolyuh/utils/AESUtil.java + method: "encryptString(String, String)" + line: 46 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/spring-boot-student/misuses/5/misuse.yml b/data/spring-boot-student/misuses/5/misuse.yml new file mode 100644 index 000000000..9119111b0 --- /dev/null +++ b/data/spring-boot-student/misuses/5/misuse.yml @@ -0,0 +1,16 @@ +api: +- java.security.MessageDigest +violations: +- insecure/condition/transformation +description: > + First parameter in MessageDigest.getInstance(String) is with value "SHA" which should be any of {SHA-256, SHA-384, SHA-512} +location: + file: com/xiaolyuh/utils/EncodeUtil.java + method: "sha(String)" + line: 32 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/spring-boot-student/misuses/6/misuse.yml b/data/spring-boot-student/misuses/6/misuse.yml new file mode 100644 index 000000000..a01ae3120 --- /dev/null +++ b/data/spring-boot-student/misuses/6/misuse.yml @@ -0,0 +1,16 @@ +api: +- java.security.MessageDigest +violations: +- insecure/condition/transformation +description: > + First parameter in MessageDigest.getInstance(String) is with value "MD5" which should be any of {SHA-256, SHA-384, SHA-512} +location: + file: com/xiaolyuh/utils/EncodeUtil.java + method: "md5(String)" + line: 58 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/spring-boot-student/project.yml b/data/spring-boot-student/project.yml new file mode 100644 index 000000000..ed654029e --- /dev/null +++ b/data/spring-boot-student/project.yml @@ -0,0 +1,5 @@ +name: spring-boot-student +repository: + type: git + url: https://github.com/wyh-spring-ecosystem-student/spring-boot-student +url: https://github.com/wyh-spring-ecosystem-student/spring-boot-student \ No newline at end of file diff --git a/data/spring-boot-student/versions/3b10f43/version.yml b/data/spring-boot-student/versions/3b10f43/version.yml new file mode 100644 index 000000000..ef9a3cfdb --- /dev/null +++ b/data/spring-boot-student/versions/3b10f43/version.yml @@ -0,0 +1,13 @@ +build: + classes: spring-boot-student-encode/$mvn.default.classes + commands: + - mvn compile + src: spring-boot-student-encode/src/main/java/ +misuses: +- '1' +- '2' +- '3' +- '4' +- '5' +- '6' +revision: 3b10f430bdebeacc49c6b6d5f8e1a49c08175e63 diff --git a/data/symmetric-ds/misuses/1/misuse.yml b/data/symmetric-ds/misuses/1/misuse.yml new file mode 100644 index 000000000..c3b74e921 --- /dev/null +++ b/data/symmetric-ds/misuses/1/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.spec.PBEParameterSpec +violations: +- insecure/condition/iteration_count +description: > + Iteration count should be greater than 1000, here is it set to 3 +location: + file: symmetric-util/src/main/java/org/jumpmind/security/SecurityService.java + method: "initializeCipher(Cipher,int)" + line: 185 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/symmetric-ds/misuses/2/misuse.yml b/data/symmetric-ds/misuses/2/misuse.yml new file mode 100644 index 000000000..c2a7ab320 --- /dev/null +++ b/data/symmetric-ds/misuses/2/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.spec.PBEParameterSpec +violations: +- insecure/condition/randomization +description: > + First parameter while creating the PBEParameterSpec object i.e. SALT was not properly randomized +location: + file: symmetric-util/src/main/java/org/jumpmind/security/SecurityService.java + method: "initializeCipher(Cipher,int)" + line: 185 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/symmetric-ds/misuses/3/misuse.yml b/data/symmetric-ds/misuses/3/misuse.yml new file mode 100644 index 000000000..072281dca --- /dev/null +++ b/data/symmetric-ds/misuses/3/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.spec.PBEParameterSpec +violations: +- insecure/condition/randomization +description: > + First parameter while creating the PBEParameterSpec object i.e. SALT was not properly randomized +location: + file: symmetric-util/src/main/java/org/jumpmind/security/SecurityService.java + method: "initializeCipher(Cipher,int)" + line: 189 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/symmetric-ds/project.yml b/data/symmetric-ds/project.yml new file mode 100644 index 000000000..1282a283f --- /dev/null +++ b/data/symmetric-ds/project.yml @@ -0,0 +1,5 @@ +name: symmetric-ds +repository: + type: git + url: https://github.com/JumpMind/symmetric-ds +url: https://github.com/JumpMind/symmetric-ds \ No newline at end of file diff --git a/data/symmetric-ds/versions/c42f0e0/version.yml b/data/symmetric-ds/versions/c42f0e0/version.yml new file mode 100644 index 000000000..fa4177ba6 --- /dev/null +++ b/data/symmetric-ds/versions/c42f0e0/version.yml @@ -0,0 +1,10 @@ +build: + classes: symmetric-util/$gradle.default.classes + commands: + - cd symmetric-assemble & ./gradlew develop + src: symmetric-util/src/ +misuses: +- '1' +- '2' +- '3' +revision: c42f0e067b6f7761c81e8db7d19f953795e43a25 diff --git a/data/technic-launcher-sp/versions/7809682/version.yml b/data/technic-launcher-sp/versions/7809682/version.yml index bce1d41bd..6be173e83 100644 --- a/data/technic-launcher-sp/versions/7809682/version.yml +++ b/data/technic-launcher-sp/versions/7809682/version.yml @@ -1,8 +1,8 @@ build: - classes: target/classes/ + classes: $mvn.default.classes commands: - mvn compile src: src/main/java/ misuses: - '1' -revision: 7809682b89a569d82cc78e06c332a0510b182a8b \ No newline at end of file +revision: 7809682b89a569d82cc78e06c332a0510b182a8b diff --git a/data/telegram-server/misuses/1/misuse.yml b/data/telegram-server/misuses/1/misuse.yml new file mode 100644 index 000000000..8ab24d10a --- /dev/null +++ b/data/telegram-server/misuses/1/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/transformation +description: > + First parameter (with value "RSA/ECB/nopadding") should be any of "RSA" with (emptyString, "ECB") +location: + file: org/telegram/mtproto/secure/CryptoUtils.java + method: "RSA(byte[], BigInteger, BigInteger)" + line: 60 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/telegram-server/misuses/2/misuse.yml b/data/telegram-server/misuses/2/misuse.yml new file mode 100644 index 000000000..a49f442ce --- /dev/null +++ b/data/telegram-server/misuses/2/misuse.yml @@ -0,0 +1,16 @@ +api: +- java.security.MessageDigest +violations: +- insecure/condition/transformation +description: > + First parameter (with value "SHA-1") should be any of {SHA-256, SHA-384, SHA-512} +location: + file: org/telegram/mtproto/secure/CryptoUtils.java + method: "initialValue()" + line: 42 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/telegram-server/misuses/3/misuse.yml b/data/telegram-server/misuses/3/misuse.yml new file mode 100644 index 000000000..8cebbe83d --- /dev/null +++ b/data/telegram-server/misuses/3/misuse.yml @@ -0,0 +1,16 @@ +api: +- java.security.MessageDigest +violations: +- insecure/condition/transformation +description: > + First parameter (with value "MD5") should be any of {SHA-256, SHA-384, SHA-512} +location: + file: org/telegram/mtproto/secure/CryptoUtils.java + method: "initialValue()" + line: 29 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/telegram-server/misuses/4/misuse.yml b/data/telegram-server/misuses/4/misuse.yml new file mode 100644 index 000000000..f636ce639 --- /dev/null +++ b/data/telegram-server/misuses/4/misuse.yml @@ -0,0 +1,16 @@ +api: +- java.security.MessageDigest +violations: +- insecure/condition/transformation +description: > + First parameter (with value "MD5") should be any of {SHA-256, SHA-384, SHA-512} +location: + file: org/telegram/mtproto/secure/CryptoUtils.java + method: "MD5(byte[])" + line: 105 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/telegram-server/misuses/5/misuse.yml b/data/telegram-server/misuses/5/misuse.yml new file mode 100644 index 000000000..fa6557f6f --- /dev/null +++ b/data/telegram-server/misuses/5/misuse.yml @@ -0,0 +1,16 @@ +api: +- java.security.MessageDigest +violations: +- insecure/condition/transformation +description: > + First parameter (with value "SHA-1") should be any of {SHA-256, SHA-384, SHA-512} +location: + file: org/telegram/mtproto/Utilities.java + method: "computeSHA1(byte[], int, int)" + line: 200 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/telegram-server/misuses/6/misuse.yml b/data/telegram-server/misuses/6/misuse.yml new file mode 100644 index 000000000..be08e2ce9 --- /dev/null +++ b/data/telegram-server/misuses/6/misuse.yml @@ -0,0 +1,16 @@ +api: +- java.security.MessageDigest +violations: +- insecure/condition/transformation +description: > + First parameter (with value "SHA-1") should be any of {SHA-256, SHA-384, SHA-512} +location: + file: org/telegram/mtproto/Utilities.java + method: "computeSHA1(ByteBuffer, int, int)" + line: 213 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/telegram-server/misuses/7/misuse.yml b/data/telegram-server/misuses/7/misuse.yml new file mode 100644 index 000000000..338cb28e1 --- /dev/null +++ b/data/telegram-server/misuses/7/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/transformation +description: > + First parameter (with value "RSA/ECB/nopadding") should be any of "RSA" with (emptyString, "ECB") +location: + file: org/telegram/mtproto/Utilities.java + method: "encryptWithRSA(PublicKey, byte[])" + line: 262 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/telegram-server/misuses/8/misuse.yml b/data/telegram-server/misuses/8/misuse.yml new file mode 100644 index 000000000..014b8083b --- /dev/null +++ b/data/telegram-server/misuses/8/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/transformation +description: > + First parameter (with value "RSA/ECB/nopadding") should be any of "RSA" with (emptyString, "ECB") +location: + file: org/telegram/mtproto/Utilities.java + method: "decryptWithRSA(PrivateKey, byte[])" + line: 273 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/telegram-server/misuses/9/misuse.yml b/data/telegram-server/misuses/9/misuse.yml new file mode 100644 index 000000000..51bed8227 --- /dev/null +++ b/data/telegram-server/misuses/9/misuse.yml @@ -0,0 +1,16 @@ +api: +- java.security.MessageDigest +violations: +- insecure/condition/transformation +description: > + First parameter (with value "MD5") should be any of {SHA-256, SHA-384, SHA-512} +location: + file: org/telegram/mtproto/Utilities.java + method: "MD5(String)" + line: 326 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/telegram-server/project.yml b/data/telegram-server/project.yml new file mode 100644 index 000000000..cf1d75b5c --- /dev/null +++ b/data/telegram-server/project.yml @@ -0,0 +1,5 @@ +name: telegram-server +repository: + type: git + url: https://github.com/aykutalparslan/Telegram-Server +url: https://github.com/aykutalparslan/Telegram-Server \ No newline at end of file diff --git a/data/telegram-server/versions/25316b0/version.yml b/data/telegram-server/versions/25316b0/version.yml new file mode 100644 index 000000000..20d1a3488 --- /dev/null +++ b/data/telegram-server/versions/25316b0/version.yml @@ -0,0 +1,16 @@ +build: + classes: Telegram-Server/$gradle.default.classes + commands: + - gradle compileJava + src: Telegram-Server/src/main/java +misuses: +- '1' +- '2' +- '3' +- '4' +- '5' +- '6' +- '7' +- '8' +- '9' +revision: 25316b0951aa58f39a6237c4e0541e59273e9073 diff --git a/data/tls-attacker/misuses/1/misuse.yml b/data/tls-attacker/misuses/1/misuse.yml new file mode 100644 index 000000000..4005274b9 --- /dev/null +++ b/data/tls-attacker/misuses/1/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.spec.SecretKeySpec +violations: +- insecure/condition/randomization +description: > + First parameter while creating SecretKeySpec object was not properly randomized +location: + file: de/rub/nds/tlsattacker/core/crypto/PseudoRandomFunction.java + method: "computeTls12(byte[], String, byte[], int, String)" + line: 124 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/tls-attacker/misuses/10/misuse.yml b/data/tls-attacker/misuses/10/misuse.yml new file mode 100644 index 000000000..984a311df --- /dev/null +++ b/data/tls-attacker/misuses/10/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.spec.SecretKeySpec +violations: +- insecure/condition/randomization +description: > + First parameter while creating SecretKeySpec object was not properly randomized +location: + file: de/rub/nds/tlsattacker/core/crypto/HKDFunction.java + method: "extract(HKDFAlgorithm, byte[], byte[])" + line: 81 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/tls-attacker/misuses/2/misuse.yml b/data/tls-attacker/misuses/2/misuse.yml new file mode 100644 index 000000000..46f6a9b7c --- /dev/null +++ b/data/tls-attacker/misuses/2/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.spec.SecretKeySpec +violations: +- insecure/condition/randomization +description: > + First parameter while creating SecretKeySpec object was not properly randomized +location: + file: de/rub/nds/tlsattacker/core/util/StaticTicketCrypto.java + method: "encrypt(CipherAlgorithm, byte[], byte[], byte[])" + line: 41 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/tls-attacker/misuses/3/misuse.yml b/data/tls-attacker/misuses/3/misuse.yml new file mode 100644 index 000000000..768eee94c --- /dev/null +++ b/data/tls-attacker/misuses/3/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.spec.SecretKeySpec +violations: +- insecure/condition/randomization +description: > + First parameter while creating SecretKeySpec object was not properly randomized +location: + file: de/rub/nds/tlsattacker/core/util/StaticTicketCrypto.java + method: "decrypt(CipherAlgorithm, byte[], byte[], byte[])" + line: 58 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/tls-attacker/misuses/4/misuse.yml b/data/tls-attacker/misuses/4/misuse.yml new file mode 100644 index 000000000..f5686b74a --- /dev/null +++ b/data/tls-attacker/misuses/4/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.spec.SecretKeySpec +violations: +- insecure/condition/randomization +description: > + First parameter while creating SecretKeySpec object was not properly randomized +location: + file: de/rub/nds/tlsattacker/core/util/StaticTicketCrypto.java + method: "generateHMAC(MacAlgorithm, byte[], byte[])" + line: 76 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/tls-attacker/misuses/5/misuse.yml b/data/tls-attacker/misuses/5/misuse.yml new file mode 100644 index 000000000..9ce91ac40 --- /dev/null +++ b/data/tls-attacker/misuses/5/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.spec.SecretKeySpec +violations: +- insecure/condition/randomization +description: > + First parameter while creating SecretKeySpec object was not properly randomized +location: + file: de/rub/nds/tlsattacker/core/crypto/cipher/JavaCipher.java + method: "encrypt(byte[], byte[], byte[])" + line: 52 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/tls-attacker/misuses/6/misuse.yml b/data/tls-attacker/misuses/6/misuse.yml new file mode 100644 index 000000000..a63b6ea47 --- /dev/null +++ b/data/tls-attacker/misuses/6/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.spec.SecretKeySpec +violations: +- insecure/condition/randomization +description: > + First parameter while creating SecretKeySpec object was not properly randomized +location: + file: de/rub/nds/tlsattacker/core/crypto/cipher/JavaCipher.java + method: "encrypt(byte[], byte[])" + line: 67 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/tls-attacker/misuses/7/misuse.yml b/data/tls-attacker/misuses/7/misuse.yml new file mode 100644 index 000000000..074dfa60c --- /dev/null +++ b/data/tls-attacker/misuses/7/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.spec.SecretKeySpec +violations: +- insecure/condition/randomization +description: > + First parameter while creating SecretKeySpec object was not properly randomized +location: + file: de/rub/nds/tlsattacker/core/crypto/cipher/JavaCipher.java + method: "encrypt(byte[], byte[], int, byte[])" + line: 82 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/tls-attacker/misuses/8/misuse.yml b/data/tls-attacker/misuses/8/misuse.yml new file mode 100644 index 000000000..5333e9434 --- /dev/null +++ b/data/tls-attacker/misuses/8/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.spec.SecretKeySpec +violations: +- insecure/condition/randomization +description: > + First parameter while creating SecretKeySpec object was not properly randomized +location: + file: de/rub/nds/tlsattacker/core/crypto/cipher/JavaCipher.java + method: "encrypt(byte[], byte[], int, byte[], byte[])" + line: 98 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/tls-attacker/misuses/9/misuse.yml b/data/tls-attacker/misuses/9/misuse.yml new file mode 100644 index 000000000..74ba69312 --- /dev/null +++ b/data/tls-attacker/misuses/9/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.spec.SecretKeySpec +violations: +- insecure/condition/randomization +description: > + First parameter while creating SecretKeySpec object was not properly randomized +location: + file: de/rub/nds/tlsattacker/core/crypto/cipher/JavaCipher.java + method: "decrypt(byte[], byte[], byte[])" + line: 124 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/tls-attacker/project.yml b/data/tls-attacker/project.yml new file mode 100644 index 000000000..c7fde4b70 --- /dev/null +++ b/data/tls-attacker/project.yml @@ -0,0 +1,5 @@ +name: tls-attacker +repository: + type: git + url: https://github.com/RUB-NDS/TLS-Attacker +url: https://github.com/RUB-NDS/TLS-Attacker \ No newline at end of file diff --git a/data/tls-attacker/versions/6d4de77/version.yml b/data/tls-attacker/versions/6d4de77/version.yml new file mode 100644 index 000000000..cf4f7b3eb --- /dev/null +++ b/data/tls-attacker/versions/6d4de77/version.yml @@ -0,0 +1,17 @@ +build: + classes: TLS-Core/$mvn.default.classes + commands: + - mvn clean compile + src: TLS-Core/src/main/java/ +misuses: +- '1' +- '2' +- '3' +- '4' +- '5' +- '6' +- '7' +- '8' +- '9' +- '10' +revision: 6d4de771d4491c27aea9ec04a6078edd2059f636 diff --git a/data/vjtools/misuses/1/misuse.yml b/data/vjtools/misuses/1/misuse.yml new file mode 100644 index 000000000..612242369 --- /dev/null +++ b/data/vjtools/misuses/1/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/transformation +description: > + First parameter in Cipher getInstance(String) is with value "AES" which should be any of AES/{CBC, GCM, PCBC, CTR, CTS, CFB, OFB}. +location: + file: com/vip/vjtools/vjkit/security/CryptoUtil.java + method: "aes(byte[], byte[], int)" + line: 134 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/vjtools/misuses/2/misuse.yml b/data/vjtools/misuses/2/misuse.yml new file mode 100644 index 000000000..a4eaf79d7 --- /dev/null +++ b/data/vjtools/misuses/2/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.KeyGenerator +violations: +- insecure/condition/transformation +description: > + First parameter in KeyGenerator getInstance(String) is with value "HmacSHA1" which should be any of {AES, Blowfish, DESede, HmacSHA224, HmacSHA256, HmacSHA384, HmacSHA512}. +location: + file: com/vip/vjtools/vjkit/security/CryptoUtil.java + method: "generateHmacSha1Key()" + line: 70 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/vjtools/project.yml b/data/vjtools/project.yml new file mode 100644 index 000000000..d7d16d81e --- /dev/null +++ b/data/vjtools/project.yml @@ -0,0 +1,5 @@ +name: vjtools +repository: + type: git + url: https://github.com/vipshop/vjtools +url: https://github.com/vipshop/vjtools \ No newline at end of file diff --git a/data/vjtools/versions/784be0a/version.yml b/data/vjtools/versions/784be0a/version.yml new file mode 100644 index 000000000..bde3c29bc --- /dev/null +++ b/data/vjtools/versions/784be0a/version.yml @@ -0,0 +1,9 @@ +build: + classes: vjkit/$mvn.default.classes + commands: + - mvn compile + src: vjkit/src/main/java/ +misuses: +- '1' +- '2' +revision: 784be0ad9f39bb0f55bd9e656d6c18d4dfa80846 diff --git a/data/whatsmars/misuses/1/correct-usages/ConstructCipher.java b/data/whatsmars/misuses/1/correct-usages/ConstructCipher.java new file mode 100644 index 000000000..76c1f2b7d --- /dev/null +++ b/data/whatsmars/misuses/1/correct-usages/ConstructCipher.java @@ -0,0 +1,8 @@ +import javax.crypto.Cipher; +import java.security.NoSuchAlgorithmException; + +public class ConstructCipher { + public void pattern() throws Exception{ + Cipher c = Cipher.getInstance("PBEWithHmacSHA224AndAES_128"); + } +} diff --git a/data/whatsmars/misuses/1/misuse.yml b/data/whatsmars/misuses/1/misuse.yml new file mode 100644 index 000000000..e2f520abe --- /dev/null +++ b/data/whatsmars/misuses/1/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/transformation +description: > + First parameter in Cipher.getInstance(String) is with value "DES/ECB/PKCS5Padding" which should be any of {AES, Blowfish, DESede, PBEWithHmacSHA224AndAES_128, PBEWithHmacSHA256AndAES_128, PBEWithHmacSHA384AndAES_128, PBEWithHmacSHA512AndAES_128, PBEWithHmacSHA224AndAES_256, PBEWithHmacSHA256AndAES_256, PBEWithHmacSHA384AndAES_256, PBEWithHmacSHA512AndAES_256, RSA} +location: + file: org/hongxi/whatsmars/common/util/DESUtils.java + method: "decrypt(byte[], byte[])" + line: 56 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/whatsmars/misuses/10/correct-usages/ConstructCipher.java b/data/whatsmars/misuses/10/correct-usages/ConstructCipher.java new file mode 100644 index 000000000..2eeb8be5e --- /dev/null +++ b/data/whatsmars/misuses/10/correct-usages/ConstructCipher.java @@ -0,0 +1,8 @@ +import javax.crypto.Cipher; +import java.security.NoSuchAlgorithmException; + +public class ConstructCipher { + public void pattern() throws Exception{ + Cipher c = Cipher.getInstance("PBEWithHmacSHA224AndAES_128"); + } +} diff --git a/data/whatsmars/misuses/10/misuse.yml b/data/whatsmars/misuses/10/misuse.yml new file mode 100644 index 000000000..41332de7e --- /dev/null +++ b/data/whatsmars/misuses/10/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.spec.SecretKeySpec +violations: +- insecure/condition/randomization +description: > + First parameter while initializing SecretKeySpec was not properly randomized. +location: + file: org/hongxi/whatsmars/common/util/AESUtils.java + method: "decrypt(byte[], byte[])" + line: 61 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/whatsmars/misuses/11/correct-usages/ConstructCipher.java b/data/whatsmars/misuses/11/correct-usages/ConstructCipher.java new file mode 100644 index 000000000..2eeb8be5e --- /dev/null +++ b/data/whatsmars/misuses/11/correct-usages/ConstructCipher.java @@ -0,0 +1,8 @@ +import javax.crypto.Cipher; +import java.security.NoSuchAlgorithmException; + +public class ConstructCipher { + public void pattern() throws Exception{ + Cipher c = Cipher.getInstance("PBEWithHmacSHA224AndAES_128"); + } +} diff --git a/data/whatsmars/misuses/11/misuse.yml b/data/whatsmars/misuses/11/misuse.yml new file mode 100644 index 000000000..d4103801e --- /dev/null +++ b/data/whatsmars/misuses/11/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.spec.SecretKeySpec +violations: +- insecure/condition/randomization +description: > + First parameter while initializing SecretKeySpec was not properly randomized. +location: + file: org/hongxi/whatsmars/common/util/AESUtils.java + method: "decrypt(byte[], byte[])" + line: 63 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/whatsmars/misuses/12/correct-usages/ConstructCipher.java b/data/whatsmars/misuses/12/correct-usages/ConstructCipher.java new file mode 100644 index 000000000..b7d4ff570 --- /dev/null +++ b/data/whatsmars/misuses/12/correct-usages/ConstructCipher.java @@ -0,0 +1,14 @@ +import javax.crypto.Cipher; +import javax.crypto.KeyGenerator; +import javax.crypto.SecretKey; +import java.security.SecureRandom; +import java.security.NoSuchAlgorithmException; + +public class ConstructCipher { + public void pattern(SecureRandom random) throws Exception { + KeyGenerator kg = KeyGenerator.getInstance("AES128"); + SecretKey key = kg.generateKey(); + Cipher c = Cipher.getInstance("PBEWithHmacSHA224AndAES_128"); + c.init(Cipher.ENCRYPT_MODE, key, random); + } +} diff --git a/data/whatsmars/misuses/12/misuse.yml b/data/whatsmars/misuses/12/misuse.yml new file mode 100644 index 000000000..5ae40d329 --- /dev/null +++ b/data/whatsmars/misuses/12/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/key +description: > + Second parameter while initializing Cipher was not properly generatedKey. +location: + file: org/hongxi/whatsmars/common/util/AESUtils.java + method: "decrypt(byte[], byte[])" + line: 65 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/whatsmars/misuses/13/correct-usages/ConstructKeyGenerator.java b/data/whatsmars/misuses/13/correct-usages/ConstructKeyGenerator.java new file mode 100644 index 000000000..1181ac019 --- /dev/null +++ b/data/whatsmars/misuses/13/correct-usages/ConstructKeyGenerator.java @@ -0,0 +1,8 @@ +import javax.crypto.KeyGenerator; +import java.security.NoSuchAlgorithmException; + +public class ConstructKeyGenerator { + public void pattern() throws Exception{ + KeyGenerator kg = KeyGenerator.getInstance("AES"); + } +} diff --git a/data/whatsmars/misuses/13/misuse.yml b/data/whatsmars/misuses/13/misuse.yml new file mode 100644 index 000000000..44e945bdc --- /dev/null +++ b/data/whatsmars/misuses/13/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.KeyGenerator +violations: +- insecure/condition/transformation +description: > + First parameter in KeyGenerator.getInstance(String) is with value "AES/ECB/PKCS5Padding" which should be any of {AES, Blowfish, DESede, HmacSHA224, HmacSHA256, HmacSHA384, HmacSHA512} +location: + file: org/hongxi/whatsmars/common/util/AESUtils.java + method: "genarateRandomKey()" + line: 115 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/whatsmars/misuses/2/correct-usages/ConstructCipher.java b/data/whatsmars/misuses/2/correct-usages/ConstructCipher.java new file mode 100644 index 000000000..b7d4ff570 --- /dev/null +++ b/data/whatsmars/misuses/2/correct-usages/ConstructCipher.java @@ -0,0 +1,14 @@ +import javax.crypto.Cipher; +import javax.crypto.KeyGenerator; +import javax.crypto.SecretKey; +import java.security.SecureRandom; +import java.security.NoSuchAlgorithmException; + +public class ConstructCipher { + public void pattern(SecureRandom random) throws Exception { + KeyGenerator kg = KeyGenerator.getInstance("AES128"); + SecretKey key = kg.generateKey(); + Cipher c = Cipher.getInstance("PBEWithHmacSHA224AndAES_128"); + c.init(Cipher.ENCRYPT_MODE, key, random); + } +} diff --git a/data/whatsmars/misuses/2/misuse.yml b/data/whatsmars/misuses/2/misuse.yml new file mode 100644 index 000000000..9beac4fa8 --- /dev/null +++ b/data/whatsmars/misuses/2/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/key +description: > + Second parameter while initializing Cipher was not properly generatedKey. +location: + file: org/hongxi/whatsmars/common/util/DESUtils.java + method: "decrypt(byte[], byte[])" + line: 57 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/whatsmars/misuses/3/correct-usages/ConstructCipher.java b/data/whatsmars/misuses/3/correct-usages/ConstructCipher.java new file mode 100644 index 000000000..0342d7f33 --- /dev/null +++ b/data/whatsmars/misuses/3/correct-usages/ConstructCipher.java @@ -0,0 +1,8 @@ +import javax.crypto.Cipher; +import java.security.NoSuchAlgorithmException; + +public class ConstructCipher { + public void pattern() throws Exception{ + Cipher c = Cipher.getInstance("PBEWithHmacSHA224AndAES_128"); + } +} diff --git a/data/whatsmars/misuses/3/misuse.yml b/data/whatsmars/misuses/3/misuse.yml new file mode 100644 index 000000000..0d6a81881 --- /dev/null +++ b/data/whatsmars/misuses/3/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/transformation +description: > + First parameter in Cipher.getInstance(String) is with value "DES/ECB/PKCS5Padding" which should be any of {AES, Blowfish, DESede, PBEWithHmacSHA224AndAES_128, PBEWithHmacSHA256AndAES_128, PBEWithHmacSHA384AndAES_128, PBEWithHmacSHA512AndAES_128, PBEWithHmacSHA224AndAES_256, PBEWithHmacSHA256AndAES_256, PBEWithHmacSHA384AndAES_256, PBEWithHmacSHA512AndAES_256, RSA} +location: + file: org/hongxi/whatsmars/common/util/DESUtils.java + method: "encrypt(byte[], byte[])" + line: 33 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/whatsmars/misuses/4/correct-usages/ConstructCipher.java b/data/whatsmars/misuses/4/correct-usages/ConstructCipher.java new file mode 100644 index 000000000..b7d4ff570 --- /dev/null +++ b/data/whatsmars/misuses/4/correct-usages/ConstructCipher.java @@ -0,0 +1,14 @@ +import javax.crypto.Cipher; +import javax.crypto.KeyGenerator; +import javax.crypto.SecretKey; +import java.security.SecureRandom; +import java.security.NoSuchAlgorithmException; + +public class ConstructCipher { + public void pattern(SecureRandom random) throws Exception { + KeyGenerator kg = KeyGenerator.getInstance("AES128"); + SecretKey key = kg.generateKey(); + Cipher c = Cipher.getInstance("PBEWithHmacSHA224AndAES_128"); + c.init(Cipher.ENCRYPT_MODE, key, random); + } +} diff --git a/data/whatsmars/misuses/4/misuse.yml b/data/whatsmars/misuses/4/misuse.yml new file mode 100644 index 000000000..3025596b2 --- /dev/null +++ b/data/whatsmars/misuses/4/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/key +description: > + Second parameter while initializing Cipher was not properly generatedKey. +location: + file: org/hongxi/whatsmars/common/util/DESUtils.java + method: "encrypt(byte[], byte[])" + line: 34 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/whatsmars/misuses/5/correct-usages/ConstructCipher.java b/data/whatsmars/misuses/5/correct-usages/ConstructCipher.java new file mode 100644 index 000000000..2eeb8be5e --- /dev/null +++ b/data/whatsmars/misuses/5/correct-usages/ConstructCipher.java @@ -0,0 +1,8 @@ +import javax.crypto.Cipher; +import java.security.NoSuchAlgorithmException; + +public class ConstructCipher { + public void pattern() throws Exception{ + Cipher c = Cipher.getInstance("PBEWithHmacSHA224AndAES_128"); + } +} diff --git a/data/whatsmars/misuses/5/misuse.yml b/data/whatsmars/misuses/5/misuse.yml new file mode 100644 index 000000000..475ed3dff --- /dev/null +++ b/data/whatsmars/misuses/5/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/transformation +description: > + First parameter in Cipher.getInstance(String) is with value "AES/ECB/PKCS5Padding" which should be any of AES/{CBC, GCM, PCBC, CTR, CTS, CFB, OFB}. +location: + file: org/hongxi/whatsmars/common/util/AESUtils.java + method: "encrypt(byte[], byte[])" + line: 38 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/whatsmars/misuses/6/correct-usages/ConstructSecretKeySpec.java b/data/whatsmars/misuses/6/correct-usages/ConstructSecretKeySpec.java new file mode 100644 index 000000000..9a55dd33d --- /dev/null +++ b/data/whatsmars/misuses/6/correct-usages/ConstructSecretKeySpec.java @@ -0,0 +1,17 @@ +import javax.crypto.spec.SecretKeySpec; +import javax.crypto.SecretKeyFactory; +import javax.crypto.SecretKey; +import javax.crypto.spec.PBEKeySpec; +import java.security.NoSuchAlgorithmException; +import java.security.spec.InvalidKeySpecException; + +public class ConstructSecretKeySpec { + public void pattern(char[] password,byte[] salt,int iterationCount,int keylength,java.lang.String algorithm) throws Exception { + SecretKeyFactory skf = SecretKeyFactory.getInstance("PBEWithHmacSHA512AndAES_128"); + PBEKeySpec pbeks = new PBEKeySpec(password, salt, iterationCount, keylength); + SecretKey key = skf.generateSecret(pbeks); + byte[] keyMaterial = key.getEncoded(); + SecretKeySpec sks = new SecretKeySpec(keyMaterial, algorithm); + } +} + diff --git a/data/whatsmars/misuses/6/misuse.yml b/data/whatsmars/misuses/6/misuse.yml new file mode 100644 index 000000000..ce7881669 --- /dev/null +++ b/data/whatsmars/misuses/6/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.spec.SecretKeySpec +violations: +- insecure/condition/randomization +description: > + First parameter while initializing SecretKeySpec was not properly randomized. +location: + file: org/hongxi/whatsmars/common/util/AESUtils.java + method: "encrypt(byte[], byte[])" + line: 37 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/whatsmars/misuses/7/correct-usages/ConstructCipher.java b/data/whatsmars/misuses/7/correct-usages/ConstructCipher.java new file mode 100644 index 000000000..b7d4ff570 --- /dev/null +++ b/data/whatsmars/misuses/7/correct-usages/ConstructCipher.java @@ -0,0 +1,14 @@ +import javax.crypto.Cipher; +import javax.crypto.KeyGenerator; +import javax.crypto.SecretKey; +import java.security.SecureRandom; +import java.security.NoSuchAlgorithmException; + +public class ConstructCipher { + public void pattern(SecureRandom random) throws Exception { + KeyGenerator kg = KeyGenerator.getInstance("AES128"); + SecretKey key = kg.generateKey(); + Cipher c = Cipher.getInstance("PBEWithHmacSHA224AndAES_128"); + c.init(Cipher.ENCRYPT_MODE, key, random); + } +} diff --git a/data/whatsmars/misuses/7/misuse.yml b/data/whatsmars/misuses/7/misuse.yml new file mode 100644 index 000000000..51edc6251 --- /dev/null +++ b/data/whatsmars/misuses/7/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/key +description: > + Second parameter while initializing Cipher was not properly generatedKey. +location: + file: org/hongxi/whatsmars/common/util/AESUtils.java + method: "encrypt(byte[], byte[])" + line: 39 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/whatsmars/misuses/8/correct-usages/ConstructSecretKeySpec.java b/data/whatsmars/misuses/8/correct-usages/ConstructSecretKeySpec.java new file mode 100644 index 000000000..819eb3833 --- /dev/null +++ b/data/whatsmars/misuses/8/correct-usages/ConstructSecretKeySpec.java @@ -0,0 +1,17 @@ +import javax.crypto.spec.SecretKeySpec; +import javax.crypto.SecretKeyFactory; +import javax.crypto.SecretKey; +import javax.crypto.spec.PBEKeySpec; +import java.security.NoSuchAlgorithmException; +import java.security.spec.InvalidKeySpecException; + +public class ConstructSecretKeySpec { + public void pattern(char[] password,byte[] salt,int iterationCount,int keylength,java.lang.String algorithm) throws Exception{ + SecretKeyFactory skf = SecretKeyFactory.getInstance("PBEWithHmacSHA512AndAES_128"); + PBEKeySpec pbeks = new PBEKeySpec(password, salt, iterationCount, keylength); + SecretKey key = skf.generateSecret(pbeks); + byte[] keyMaterial = key.getEncoded(); + SecretKeySpec sks = new SecretKeySpec(keyMaterial, algorithm); + } +} + diff --git a/data/whatsmars/misuses/8/misuse.yml b/data/whatsmars/misuses/8/misuse.yml new file mode 100644 index 000000000..43baf2e2a --- /dev/null +++ b/data/whatsmars/misuses/8/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.spec.SecretKeySpec +violations: +- insecure/condition/randomization +description: > + First parameter while initializing SecretKeySpec was not properly randomized. +location: + file: org/hongxi/whatsmars/common/util/AESUtils.java + method: "encrypt(byte[], byte[])" + line: 35 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/whatsmars/misuses/9/correct-usages/ConstructCipher.java b/data/whatsmars/misuses/9/correct-usages/ConstructCipher.java new file mode 100644 index 000000000..2eeb8be5e --- /dev/null +++ b/data/whatsmars/misuses/9/correct-usages/ConstructCipher.java @@ -0,0 +1,8 @@ +import javax.crypto.Cipher; +import java.security.NoSuchAlgorithmException; + +public class ConstructCipher { + public void pattern() throws Exception{ + Cipher c = Cipher.getInstance("PBEWithHmacSHA224AndAES_128"); + } +} diff --git a/data/whatsmars/misuses/9/misuse.yml b/data/whatsmars/misuses/9/misuse.yml new file mode 100644 index 000000000..b9fa03d76 --- /dev/null +++ b/data/whatsmars/misuses/9/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/transformation +description: > + First parameter in Cipher.getInstance(String) is with value "AES/ECB/PKCS5Padding" which should be any of AES/{CBC, GCM, PCBC, CTR, CTS, CFB, OFB}. +location: + file: org/hongxi/whatsmars/common/util/AESUtils.java + method: "decrypt(byte[], byte[])" + line: 64 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/whatsmars/project.yml b/data/whatsmars/project.yml new file mode 100644 index 000000000..a6bc7fe33 --- /dev/null +++ b/data/whatsmars/project.yml @@ -0,0 +1,5 @@ +name: whatsmars +repository: + type: git + url: https://github.com/javahongxi/whatsmars +url: https://github.com/javahongxi/whatsmars \ No newline at end of file diff --git a/data/whatsmars/versions/917b029/version.yml b/data/whatsmars/versions/917b029/version.yml new file mode 100644 index 000000000..7532e02ab --- /dev/null +++ b/data/whatsmars/versions/917b029/version.yml @@ -0,0 +1,20 @@ +build: + classes: whatsmars-common/$mvn.default.classes + commands: + - mvn clean compile + src: whatsmars-common/src/main/java/ +misuses: +- '1' +- '2' +- '3' +- '4' +- '5' +- '6' +- '7' +- '8' +- '9' +- '10' +- '11' +- '12' +- '13' +revision: 917b0290e38b93c25b33d49be6f338c625288899 diff --git a/data/yapps/versions/1ae52b0/version.yml b/data/yapps/versions/1ae52b0/version.yml index 017d8ba1a..fd2fc0ec0 100644 --- a/data/yapps/versions/1ae52b0/version.yml +++ b/data/yapps/versions/1ae52b0/version.yml @@ -1,8 +1,8 @@ build: - classes: target/classes/ + classes: $mvn.default.classes commands: - mvn compile src: src/main/java/ misuses: - '1' -revision: 1ae52b0055c40b3287529492f21a62c9c5bfd766 \ No newline at end of file +revision: 1ae52b0055c40b3287529492f21a62c9c5bfd766 diff --git a/data/zheng/misuses/1/misuse.yml b/data/zheng/misuses/1/misuse.yml new file mode 100644 index 000000000..c55a1cf47 --- /dev/null +++ b/data/zheng/misuses/1/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/transformation +description: > + First parameter in Cipher.getInstance(String) is with value "AES" which should be any of AES/{CBC, GCM, PCBC, CTR, CTS, CFB, OFB}. +location: + file: com/zheng/common/util/AESUtil.java + method: "aesDecode(String)" + line: 101 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/zheng/misuses/2/misuse.yml b/data/zheng/misuses/2/misuse.yml new file mode 100644 index 000000000..cfe3133e9 --- /dev/null +++ b/data/zheng/misuses/2/misuse.yml @@ -0,0 +1,16 @@ +api: +- javax.crypto.Cipher +violations: +- insecure/condition/transformation +description: > + First parameter in Cipher.getInstance(String) is with value "AES" which should be any of AES/{CBC, GCM, PCBC, CTR, CTS, CFB, OFB}. +location: + file: com/zheng/common/util/AESUtil.java + method: "aesEncode(String)" + line: 47 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/zheng/misuses/3/misuse.yml b/data/zheng/misuses/3/misuse.yml new file mode 100644 index 000000000..57916e400 --- /dev/null +++ b/data/zheng/misuses/3/misuse.yml @@ -0,0 +1,16 @@ +api: +- java.security.MessageDigest +violations: +- insecure/condition/transformation +description: > + First parameter in MessageDigest.getInstance(String) is with value "MD5" which should be any of {SHA-256, SHA-384, SHA-512}. +location: + file: com/zheng/common/util/MD5Util.java + method: "md5(String)" + line: 20 +internal: false +pattern: +crash: false +source: + name: MSR 2019 Data Showcase A Dataset of Parametric Cryptographic Misuses by Wickert, Reif, Eichberg, Dodhy, and Mezini + url: https://github.com/akwick/MUBench/tree/thesis-2018-anam-dodhy diff --git a/data/zheng/project.yml b/data/zheng/project.yml new file mode 100644 index 000000000..a46903ee8 --- /dev/null +++ b/data/zheng/project.yml @@ -0,0 +1,5 @@ +name: zheng +repository: + type: git + url: https://github.com/shuzheng/zheng +url: https://github.com/shuzheng/zheng \ No newline at end of file diff --git a/data/zheng/versions/11f2e86/version.yml b/data/zheng/versions/11f2e86/version.yml new file mode 100644 index 000000000..f4fd7be2f --- /dev/null +++ b/data/zheng/versions/11f2e86/version.yml @@ -0,0 +1,10 @@ +build: + classes: zheng-common/$mvn.default.classes + commands: + - mvn clean compile + src: zheng-common/src/main/java/ +misuses: +- '1' +- '2' +- '3' +revision: 11f2e86e9a1cec80cd1a1e41f270d7e2da6ee781 diff --git a/detectors/Findbugs/configs/core-all-api-misuses.xml b/detectors/Findbugs/configs/core-all-api-misuses.xml index b8625fb4b..8360e4108 100644 --- a/detectors/Findbugs/configs/core-all-api-misuses.xml +++ b/detectors/Findbugs/configs/core-all-api-misuses.xml @@ -1,158 +1,158 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/detectors/Findbugs/configs/security-api-misuses.xml b/detectors/Findbugs/configs/security-api-misuses.xml new file mode 100644 index 000000000..4d82878e6 --- /dev/null +++ b/detectors/Findbugs/configs/security-api-misuses.xml @@ -0,0 +1,56 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file