Skip to content

Comments

Implement static code analysis rule to analyse weak encryption algorithm usage#602

Merged
daneshk merged 2 commits intoballerina-platform:masterfrom
nureka-rodrigo:master
Jun 30, 2025
Merged

Implement static code analysis rule to analyse weak encryption algorithm usage#602
daneshk merged 2 commits intoballerina-platform:masterfrom
nureka-rodrigo:master

Conversation

@nureka-rodrigo
Copy link
Contributor

@nureka-rodrigo nureka-rodrigo commented Jun 18, 2025
edited
Loading

Purpose

Fixes: ballerina-platform/ballerina-library#7940

Description

  1. The analyzer is triggered when a FUNCTION_CALL node is encountered in the syntax tree.

  2. It checks for a QualifiedNameReferenceNode with any prefixes used for the crypto module (both default crypto and any custom prefixes) and identifier encryptAesEcb or encryptAesCbc.

  3. On match, the analyzer reports the vulnerability.

Checklist

  • Linked to an issue
  • Updated the changelog
  • Added tests
  • Updated the spec
  • Checked native-image compatibility

@sonarqubecloud
Copy link

sonarqubecloud bot commented Jun 18, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@codecov
Copy link

codecov bot commented Jun 18, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 82.22%. Comparing base (1d81d01) to head (dabb094).
Report is 3 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff            @@
##             master     #602   +/-   ##
=========================================
  Coverage     82.22%   82.22%           
  Complexity      239      239           
=========================================
  Files            29       29           
  Lines          1367     1367           
  Branches        190      190           
=========================================
  Hits           1124     1124           
  Misses          197      197           
  Partials         46       46

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@keizer619 keizer619 requested a review from Copilot June 20, 2025 01:51
Copilot AI reviewed Jun 20, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR implements a static code analysis rule to flag the use of weak encryption algorithms (AES ECB/CBC) in Ballerina code. It updates configuration files, defines a new rule in the rules configuration, refactors the crypto rule into an enum, and adds a corresponding analyzer and tests to enforce the rule.

Reviewed Changes

Copilot reviewed 15 out of 15 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
gradle.properties Bumps the version for the balScan dependency.
compiler-plugin/src/main/resources/rules.json Introduces a new vulnerability rule for weak encryption algorithm usage.
compiler-plugin/src/main/java/io/ballerina/stdlib/crypto/compiler/staticcodeanalyzer/CryptoRule.java Refactors the crypto rule into an enum for better organization.
compiler-plugin/src/main/java/io/ballerina/stdlib/crypto/compiler/staticcodeanalyzer/CryptoCodeAnalyzer.java Sets up the analyzer to trigger on function call syntax nodes.
compiler-plugin/src/main/java/io/ballerina/stdlib/crypto/compiler/staticcodeanalyzer/CryptoCipherAlgorithmAnalyzer.java Implements the logic to detect weak cipher function invocations and scan import declarations.
compiler-plugin/src/main/java/io/ballerina/stdlib/crypto/compiler/CryptoCompilerPlugin.java Updates the compiler plugin to register the new code analyzer using the scanner context.
Remaining test files Add test cases and expected outputs to validate the rule’s behavior.

daneshk
daneshk approved these changes Jun 30, 2025
View reviewed changes
Copy link
Member

@daneshk daneshk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@daneshk daneshk merged commit 1bcade7 into ballerina-platform:master Jun 30, 2025
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@daneshk daneshk daneshk approved these changes

@ThisaruGuruge ThisaruGuruge Awaiting requested review from ThisaruGuruge ThisaruGuruge is a code owner

@MohamedSabthar MohamedSabthar Awaiting requested review from MohamedSabthar MohamedSabthar is a code owner

@DimuthuMadushan DimuthuMadushan Awaiting requested review from DimuthuMadushan DimuthuMadushan is a code owner

@shafreenAnfar shafreenAnfar Awaiting requested review from shafreenAnfar shafreenAnfar is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Implement static analysis rule "Encryption algorithms should be used with secure mode and padding scheme" in Crypto module

2 participants

@nureka-rodrigo @daneshk