From 128b6834bf50a75b551d8e7aac131cbfb779fd13 Mon Sep 17 00:00:00 2001 From: Antonio Aversa Date: Thu, 1 May 2025 17:45:01 +0200 Subject: [PATCH 1/3] DART-262 Modify rule S2245: Add Dart language --- rules/S2245/dart/metadata.json | 29 +++++++++++++++++++++ rules/S2245/dart/rule.adoc | 47 ++++++++++++++++++++++++++++++++++ 2 files changed, 76 insertions(+) create mode 100644 rules/S2245/dart/metadata.json create mode 100644 rules/S2245/dart/rule.adoc diff --git a/rules/S2245/dart/metadata.json b/rules/S2245/dart/metadata.json new file mode 100644 index 00000000000..0496ddd6502 --- /dev/null +++ b/rules/S2245/dart/metadata.json @@ -0,0 +1,29 @@ +{ + "securityStandards": { + "CWE": [ + 326, + 330, + 338, + 1241 + ], + "OWASP": [ + "A3" + ], + "OWASP Mobile": [ + "M5" + ], + "OWASP Mobile Top 10 2024": [ + "M10" + ], + "MASVS": [ + "MSTG-CRYPTO-6" + ], + "OWASP Top 10 2021": [ + "A2" + ], + "ASVS 4.0": [ + "6.2.4" + ] + }, + "quickfix": "unknown" +} diff --git a/rules/S2245/dart/rule.adoc b/rules/S2245/dart/rule.adoc new file mode 100644 index 00000000000..2e6ae22c1d3 --- /dev/null +++ b/rules/S2245/dart/rule.adoc @@ -0,0 +1,47 @@ +include::../description.adoc[] + +include::../ask-yourself.adoc[] + +include::../recommended.adoc[] + +== Sensitive Code Example + +[source,dart,diff-id=1,diff-type=noncompliant] +---- +import 'dart:math'; + +final random = Random(); // Noncompliant: Random() is not a secure random number generator +final randomByte = random.nextInt(256); +---- + +== Compliant Solution + +[source,dart,diff-id=1,diff-type=compliant] +---- +import 'dart:math'; + +final random = Random.secure(); // Compliant: Random.secure() is a secure random number generator +final randomByte = random.nextInt(256); +---- + +include::../see.adoc[] + +* OWASP - https://mas.owasp.org/checklists/MASVS-CRYPTO/[Mobile AppSec Verification Standard - Cryptography Requirements] +* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[Mobile Top 10 2016 Category M5 - Insufficient Cryptography] +* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m10-insufficient-cryptography[Mobile Top 10 2024 Category M10 - Insufficient Cryptography] + +ifdef::env-github,rspecator-view[] + +''' +== Implementation Specification +(visible only on this page) + +include::../message.adoc[] + +''' +== Comments And Links +(visible only on this page) + +include::../comments-and-links.adoc[] + +endif::env-github,rspecator-view[] From b1c0e01006ee26b0a867ea58c514520ead1c5892 Mon Sep 17 00:00:00 2001 From: Antonio Aversa Date: Mon, 5 May 2025 18:15:34 +0200 Subject: [PATCH 2/3] Update rules/S2245/dart/rule.adoc Co-authored-by: Egon Okerman --- rules/S2245/dart/rule.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/S2245/dart/rule.adoc b/rules/S2245/dart/rule.adoc index 2e6ae22c1d3..3351f359d16 100644 --- a/rules/S2245/dart/rule.adoc +++ b/rules/S2245/dart/rule.adoc @@ -10,7 +10,7 @@ include::../recommended.adoc[] ---- import 'dart:math'; -final random = Random(); // Noncompliant: Random() is not a secure random number generator +final random = Random(); // Sensitive - Random() is not a secure random number generator final randomByte = random.nextInt(256); ---- From 2d2daecbbdea95b98e57c070fa111ba3b7c73070 Mon Sep 17 00:00:00 2001 From: Antonio Aversa Date: Mon, 5 May 2025 18:15:47 +0200 Subject: [PATCH 3/3] Update rules/S2245/dart/rule.adoc Co-authored-by: Egon Okerman --- rules/S2245/dart/rule.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/S2245/dart/rule.adoc b/rules/S2245/dart/rule.adoc index 3351f359d16..b6ec5430907 100644 --- a/rules/S2245/dart/rule.adoc +++ b/rules/S2245/dart/rule.adoc @@ -20,7 +20,7 @@ final randomByte = random.nextInt(256); ---- import 'dart:math'; -final random = Random.secure(); // Compliant: Random.secure() is a secure random number generator +final random = Random.secure(); final randomByte = random.nextInt(256); ----