diff --git a/rules/S4790/dart/metadata.json b/rules/S4790/dart/metadata.json new file mode 100644 index 00000000000..462bec773f2 --- /dev/null +++ b/rules/S4790/dart/metadata.json @@ -0,0 +1,32 @@ +{ + "securityStandards": { + "CWE": [ + 1240 + ], + "OWASP": [ + "A3", + "A6" + ], + "OWASP Mobile": [ + "M5" + ], + "OWASP Mobile Top 10 2024": [ + "M10" + ], + "MASVS": [ + "MSTG-CRYPTO-4" + ], + "OWASP Top 10 2021": [ + "A2" + ], + "PCI DSS 3.2": [ + "3.4", + "6.5.3", + "6.5.4" + ], + "PCI DSS 4.0": [ + "6.2.4" + ] + }, + "quickfix": "unknown" +} diff --git a/rules/S4790/dart/rule.adoc b/rules/S4790/dart/rule.adoc new file mode 100644 index 00000000000..d8bc81b97bc --- /dev/null +++ b/rules/S4790/dart/rule.adoc @@ -0,0 +1,85 @@ +include::../description.adoc[] + +include::../ask-yourself.adoc[] + +include::../recommended.adoc[] + +== Sensitive Code Example + +https://pub.dev/packages/crypto[crypto package]: + +[source,dart,diff-id=1,diff-type=noncompliant] +---- +import 'package:crypto/crypto.dart'; + +final digest = sha1.convert(input).bytes; // Sensitive +---- + +https://pub.dev/packages/pointycastle[pointycastle package]: + +[source,dart,diff-id=2,diff-type=noncompliant] +---- +import 'package:pointycastle/export.dart'; + +final digest = Digest('SHA-1'); // Sensitive +---- + +https://pub.dev/packages/cryptography[cryptography package]: + +[source,dart,diff-id=3,diff-type=noncompliant] +---- +import 'package:cryptography/cryptography.dart'; + +final digest = Sha1(); // Sensitive +---- + +== Compliant Solution + +https://pub.dev/packages/crypto[crypto package]: + +[source,dart,diff-id=1,diff-type=compliant] +---- +import 'package:crypto/crypto.dart'; + +final digest = sha256.convert(input).bytes; // Compliant +---- + +https://pub.dev/packages/pointycastle[pointycastle package]: + +[source,dart,diff-id=2,diff-type=compliant] +---- +import 'package:pointycastle/export.dart'; + +final digest = Digest('SHA-256'); // Compliant +---- + +https://pub.dev/packages/cryptography[cryptography package]: + +[source,dart,diff-id=3,diff-type=compliant] +---- +import 'package:cryptography/cryptography.dart'; + +final digest = Sha256(); // Compliant +---- + +include::../see.adoc[] + +ifdef::env-github,rspecator-view[] + +''' +== Implementation Specification +(visible only on this page) + +include::../message.adoc[] + +=== Highlighting + +The constant or constructor invocation (e.g. `sha1` in `sha1.convert(...)` and `Digest('SHA-1')` in `final digest1 = Digest('SHA-1')`). + +''' +== Comments And Links +(visible only on this page) + +include::../comments-and-links.adoc[] + +endif::env-github,rspecator-view[] diff --git a/rules/S4790/description.adoc b/rules/S4790/description.adoc index 21ee27f6c6b..1d88bcc1722 100644 --- a/rules/S4790/description.adoc +++ b/rules/S4790/description.adoc @@ -1 +1,3 @@ -Cryptographic hash algorithms such as ``++MD2++``, ``++MD4++``, ``++MD5++``, ``++MD6++``, ``++HAVAL-128++``, ``++HMAC-MD5++``, ``++DSA++`` (which uses ``++SHA-1++``), ``++RIPEMD++``, ``++RIPEMD-128++``, ``++RIPEMD-160++``, ``++HMACRIPEMD160++`` and ``++SHA-1++`` are no longer considered secure, because it is possible to have ``++collisions++`` (little computational effort is enough to find two or more different inputs that produce the same hash). +Cryptographic hash algorithms such as ``++MD2++``, ``++MD4++``, ``++MD5++``, ``++MD6++``, ``++HAVAL-128++``, ``++DSA++`` (which uses ``++SHA-1++``), ``++RIPEMD++``, ``++RIPEMD-128++``, ``++RIPEMD-160++``and ``++SHA-1++`` are no longer considered secure, because it is possible to have ``++collisions++`` (little computational effort is enough to find two or more different inputs that produce the same hash). + +Message authentication code (MAC) algorithms such as ``++HMAC-MD5++`` or ``++HMAC-SHA1++`` use weak hash functions as building blocks. Although they are not all proven to be weak, they are considered legacy algorithms and should be avoided. \ No newline at end of file