checkers(java): adding yaml based checkers to identify vulnerable patterns in Java code

checkers/java/active-debug-code.test.java

@@ -0,0 +1,44 @@
+public class ActiveDebugCode{
+
+    public void bad(){
+        StackTraceElement[] elements;
+
+        Exception e = new Exception();
+        elements = e.getStackTrace();
+
+        // <expect-error>
+        System.err.print(elements);
+    }
+
+    public void bad2(){
+        StackTraceElement[] elements;
+        elements = Thread.currentThread().getStackTrace();
+
+        // <expect-error>
+        System.err.print(elements);
+    }
+
+    public void bad3(){
+        StackTraceElement[] elements;
+        elements = new Throwable().getStackTrace();
+
+        // <expect-error>
+        System.err.print(elements);
+    }
+
+    public void bad4(){
+        // <expect-error>
+        System.out.println(org.apache.commons.lang3.exception.ExceptionUtils.getStackTrace(e));
+        // <expect-error>
+        System.out.println(org.apache.commons.lang3.exception.ExceptionUtils.getFullStackTrace(e));
+    }
+
+    public void alsobad(){
+        for (StackTraceElement ste : Thread.currentThread().getStackTrace()) {
+            // <expect-error>
+            System.out.println(ste);
+        }
+    }
+
+}
+

checkers/java/active-debug-code.yml

@@ -0,0 +1,40 @@
+language: java
+name: active_debug_code
+message: "Possible active debug code detected. This may expose sensitive information to attackers."
+category: security
+severity: warning
+
+pattern: >
+  (expression_statement
+    (method_invocation
+      object: (field_access 
+        object: (identifier) @object_name
+        field: (identifier) @field_name
+      )
+      name: (identifier) @method_name
+    )
+    (#eq? @object_name "System")
+    (#any-of? @field_name "out" "err")
+    (#any-of? @method_name "println" "printf" "format" "write" "print")
+    )@active_debug_code
+
+
+exclude:
+  - "tests/**"
+  - "vendor/**"
+  - "**/Test_*.java"
+  - "**/*Test.java"
+
+description: >
+  Possible active debug code detected. Deploying an application with debug code can create unintended entry points or expose sensitive information. Debug code like System.out.println() statements should be removed before deploying to production as they may leak sensitive data like stack traces, system information, or application state to potential attackers.
+
+  Remediation:
+  ```java
+  // Before - Debug code that could leak information
+  System.out.println("User data: " + userData);
+  System.err.println(exception.getStackTrace());
+
+  // After - Use proper logging with appropriate log levels
+  logger.debug("User data: {}", userData);
+  logger.error("Exception occurred", exception);
+  ```

checkers/java/blowfish-insufficient-key-size.test.java

@@ -0,0 +1,26 @@
+public class Cls {
+
+    public void unsafeKeySize() {
+        KeyGenerator keyGen = KeyGenerator.getInstance("Blowfish");
+        // <expect-error>
+        keyGen.init(64);
+    }
+
+    public void safeKeySize() {
+        // ok
+        KeyGenerator keyGen = KeyGenerator.getInstance("Blowfish");
+        keyGen.init(128);
+    }
+
+    public void superSafeKeySize() {
+        // ok
+        KeyGenerator keyGen = KeyGenerator.getInstance("Blowfish");
+        keyGen.init(448);
+    }
+
+    public void invalidKeySize() {
+        // ok
+        KeyGenerator keyGen = KeyGenerator.getInstance("Blowfish");
+        keyGen.init(-1);
+    }
+}

checkers/java/blowfish-insufficient-key-size.yml

@@ -0,0 +1,60 @@
+language: java
+name: blowfish_insufficient_key_size
+message: "Use 128 bits or more for Blowfish encryption, or switch to use AES instead"
+category: security
+severity: warning
+
+pattern: >
+  (
+    (local_variable_declaration
+      type: (type_identifier) @type
+      declarator: (variable_declarator
+        name: (identifier) 
+        value: (method_invocation
+                object: (identifier)
+                name: (identifier) @method_name
+                arguments: (argument_list
+                  (string_literal
+                    (string_fragment) @arg) 
+                  )
+                )
+              ) 
+        )
+      )
+    (expression_statement
+      (method_invocation
+        object: (identifier) @variable
+        name: (identifier) @init
+        arguments: (argument_list
+          (decimal_integer_literal) @size))
+    (#eq? @type "KeyGenerator")
+    (#eq? @method_name "getInstance") 
+    (#eq? @arg "Blowfish")
+    (#eq? @init "init")
+    (#match? @size "^(?:[0-9]|[1-9][0-9]|1[01][0-9]|12[0-7])$")
+  )@blowfish_insufficient_key_size
+exclude:
+  - "tests/**"
+  - "vendor/**"
+  - "**/Test_*.java"
+  - "**/*Test.java"
+
+description: >
+  Using a key size of less than 128 bits for Blowfish encryption is cryptographically weak and susceptible to brute-force attacks. Modern cryptographic standards recommend a key size of at least 128 bits for symmetric ciphers like Blowfish to ensure adequate security.
+
+  Vulnerabilities arise because shorter keys can be cracked with moderate computational resources, compromising the confidentiality of the encrypted data.
+
+  Remediation:
+  Increase the key size to 128 bits or more. Alternatively, consider migrating to a stronger and more modern encryption algorithm like AES (Advanced Encryption Standard) with a key size of 128, 192, or 256 bits.
+
+  Example (using 128-bit key with Blowfish):
+  ```java
+  KeyGenerator keyGen = KeyGenerator.getInstance("Blowfish");
+  keyGen.init(128); 
+  ```
+
+  Example (migrating to AES):
+  ```java
+  KeyGenerator keyGen = KeyGenerator.getInstance("AES");
+  keyGen.init(256); // Or 128, 192
+  ```