ballerina-platform · ThisaruGuruge · Sep 18, 2025 · Sep 10, 2025 · Sep 10, 2025 · Sep 11, 2025
@@ -35,8 +35,8 @@ dependencies {
     testImplementation group: 'org.ballerinalang', name: 'ballerina-parser', version: "${ballerinaLangVersion}"
     testImplementation group: 'io.ballerina.scan', name: 'scan-command', version: "${balScanVersion}"
     testImplementation group: 'io.ballerina.scan', name: 'scan-command-test-utils', version: "${balScanVersion}"
-
     testImplementation group: 'org.testng', name: 'testng', version: "${testngVersion}"
+    testImplementation group: 'com.fasterxml.jackson.core', name: 'jackson-databind', version: "${jacksonDatabindVersion}"
 }
 tasks.withType(JavaCompile).configureEach {
     options.encoding = 'UTF-8'

@@ -18,6 +18,9 @@
 
 package io.ballerina.stdlib.crypto.compiler.staticcodeanalyzer;
 
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.SerializationFeature;
 import io.ballerina.projects.Project;
 import io.ballerina.projects.ProjectEnvironmentBuilder;
 import io.ballerina.projects.directory.BuildProject;
@@ -45,6 +48,7 @@
 
 import static io.ballerina.scan.RuleKind.VULNERABILITY;
 import static io.ballerina.stdlib.crypto.compiler.staticcodeanalyzer.CryptoRule.AVOID_FAST_HASH_ALGORITHMS;
+import static io.ballerina.stdlib.crypto.compiler.staticcodeanalyzer.CryptoRule.AVOID_REUSING_COUNTER_MODE_VECTORS;
 import static io.ballerina.stdlib.crypto.compiler.staticcodeanalyzer.CryptoRule.AVOID_WEAK_CIPHER_ALGORITHMS;
 import static java.nio.charset.StandardCharsets.UTF_8;
 
@@ -70,89 +74,131 @@ public void validateRulesJson() throws IOException {
     public void testStaticCodeRulesWithAPI() throws IOException {
         ByteArrayOutputStream console = new ByteArrayOutputStream();
         PrintStream printStream = new PrintStream(console, true, UTF_8);
+
         for (CryptoRule rule : CryptoRule.values()) {
-            String targetPackageName = "rule" + rule.getId();
-            Path targetPackagePath = RESOURCE_PACKAGES_DIRECTORY.resolve(targetPackageName);
-            Project project = BuildProject.load(getEnvironmentBuilder(), targetPackagePath);
-            TestOptions options = TestOptions.builder(project).setOutputStream(printStream).build();
-            TestRunner testRunner = new TestRunner(options);
-            testRunner.performScan();
-
-            // validate the rules
-            List<Rule> rules = testRunner.getRules();
-            Assertions.assertRule(
-                    rules,
-                    "ballerina/crypto:1",
-                    AVOID_WEAK_CIPHER_ALGORITHMS.getDescription(),
-                    VULNERABILITY);
-            Assertions.assertRule(
-                    rules,
-                    "ballerina/crypto:2",
-                    AVOID_FAST_HASH_ALGORITHMS.getDescription(),
-                    VULNERABILITY);
-
-            // validate the issues
-            List<Issue> issues = testRunner.getIssues();
-            int index = 0;
-            if (rule == AVOID_WEAK_CIPHER_ALGORITHMS) {
+            testIndividualRule(rule, console, printStream);
+        }
+    }
+
+    private void testIndividualRule(CryptoRule rule, ByteArrayOutputStream console, PrintStream printStream)
+            throws IOException {
+        String targetPackageName = "rule" + rule.getId();
+        Path targetPackagePath = RESOURCE_PACKAGES_DIRECTORY.resolve(targetPackageName);
+
+        TestRunner testRunner = setupTestRunner(targetPackagePath, printStream);
+        testRunner.performScan();
+
+        validateRules(testRunner.getRules());
+        validateIssues(rule, testRunner.getIssues());
+        validateOutput(console, targetPackageName);
+
+        console.reset();
+    }
+
+    private TestRunner setupTestRunner(Path targetPackagePath, PrintStream printStream) {
+        Project project = BuildProject.load(getEnvironmentBuilder(), targetPackagePath);
+        TestOptions options = TestOptions.builder(project).setOutputStream(printStream).build();
+        return new TestRunner(options);
+    }
+
+    private void validateRules(List<Rule> rules) {
+        Assertions.assertRule(
+                rules,
+                "ballerina/crypto:1",
+                AVOID_WEAK_CIPHER_ALGORITHMS.getDescription(),
+                VULNERABILITY);
+        Assertions.assertRule(
+                rules,
+                "ballerina/crypto:2",
+                AVOID_FAST_HASH_ALGORITHMS.getDescription(),
+                VULNERABILITY);
+        Assertions.assertRule(
+                rules,
+                "ballerina/crypto:3",
+                AVOID_REUSING_COUNTER_MODE_VECTORS.getDescription(),
+                VULNERABILITY);
+    }
+
+    private void validateIssues(CryptoRule rule, List<Issue> issues) {
+        switch (rule) {
+            case AVOID_WEAK_CIPHER_ALGORITHMS:
                 Assert.assertEquals(issues.size(), 4);
-                Assertions.assertIssue(issues, index++, "ballerina/crypto:1", "aes_cbc.bal",
+                Assertions.assertIssue(issues, 0, "ballerina/crypto:1", "aes_cbc.bal",
                         30, 30, Source.BUILT_IN);
-                Assertions.assertIssue(issues, index++, "ballerina/crypto:1", "aes_cbc_as_import.bal",
+                Assertions.assertIssue(issues, 1, "ballerina/crypto:1", "aes_cbc_as_import.bal",
                         30, 30, Source.BUILT_IN);
-                Assertions.assertIssue(issues, index++, "ballerina/crypto:1", "aes_ecb.bal",
+                Assertions.assertIssue(issues, 2, "ballerina/crypto:1", "aes_ecb.bal",
                         26, 26, Source.BUILT_IN);
-                Assertions.assertIssue(issues, index, "ballerina/crypto:1", "aes_ecb_as_import.bal",
+                Assertions.assertIssue(issues, 3, "ballerina/crypto:1", "aes_ecb_as_import.bal",
                         26, 26, Source.BUILT_IN);
-            } else if (rule == AVOID_FAST_HASH_ALGORITHMS) {
+                break;
+            case AVOID_FAST_HASH_ALGORITHMS:
                 Assert.assertEquals(issues.size(), 18);
-                Assertions.assertIssue(issues, index++, "ballerina/crypto:2", "argon_func_var_named_arg.bal",
+                Assertions.assertIssue(issues, 0, "ballerina/crypto:2", "argon_func_var_named_arg.bal",
                         23, 23, Source.BUILT_IN);
-                Assertions.assertIssue(issues, index++, "ballerina/crypto:2", "argon_func_var_pos_arg.bal",
+                Assertions.assertIssue(issues, 1, "ballerina/crypto:2", "argon_func_var_pos_arg.bal",
                         23, 23, Source.BUILT_IN);
-                Assertions.assertIssue(issues, index++, "ballerina/crypto:2", "argon_inline_named_arg.bal",
+                Assertions.assertIssue(issues, 2, "ballerina/crypto:2", "argon_inline_named_arg.bal",
                         20, 20, Source.BUILT_IN);
-                Assertions.assertIssue(issues, index++, "ballerina/crypto:2", "argon_inline_pos_arg.bal",
+                Assertions.assertIssue(issues, 3, "ballerina/crypto:2", "argon_inline_pos_arg.bal",
                         20, 20, Source.BUILT_IN);
-                Assertions.assertIssue(issues, index++, "ballerina/crypto:2", "argon_mod_var_named_arg.bal",
+                Assertions.assertIssue(issues, 4, "ballerina/crypto:2", "argon_mod_var_named_arg.bal",
                         24, 24, Source.BUILT_IN);
-                Assertions.assertIssue(issues, index++, "ballerina/crypto:2", "argon_mod_var_pos_arg.bal",
+                Assertions.assertIssue(issues, 5, "ballerina/crypto:2", "argon_mod_var_pos_arg.bal",
                         24, 24, Source.BUILT_IN);
-                Assertions.assertIssue(issues, index++, "ballerina/crypto:2", "bcrypt_func_var_named_arg.bal",
+                Assertions.assertIssue(issues, 6, "ballerina/crypto:2", "bcrypt_func_var_named_arg.bal",
                         21, 21, Source.BUILT_IN);
-                Assertions.assertIssue(issues, index++, "ballerina/crypto:2", "bcrypt_func_var_pos_arg.bal",
+                Assertions.assertIssue(issues, 7, "ballerina/crypto:2", "bcrypt_func_var_pos_arg.bal",
                         21, 21, Source.BUILT_IN);
-                Assertions.assertIssue(issues, index++, "ballerina/crypto:2", "bcrypt_inline_named_arg.bal",
+                Assertions.assertIssue(issues, 8, "ballerina/crypto:2", "bcrypt_inline_named_arg.bal",
                         20, 20, Source.BUILT_IN);
-                Assertions.assertIssue(issues, index++, "ballerina/crypto:2", "bcrypt_inline_pos_arg.bal",
+                Assertions.assertIssue(issues, 9, "ballerina/crypto:2", "bcrypt_inline_pos_arg.bal",
                         20, 20, Source.BUILT_IN);
-                Assertions.assertIssue(issues, index++, "ballerina/crypto:2", "bcrypt_mod_var_named_arg.bal",
+                Assertions.assertIssue(issues, 10, "ballerina/crypto:2", "bcrypt_mod_var_named_arg.bal",
                         22, 22, Source.BUILT_IN);
-                Assertions.assertIssue(issues, index++, "ballerina/crypto:2", "bcrypt_mod_var_pos_arg.bal",
+                Assertions.assertIssue(issues, 11, "ballerina/crypto:2", "bcrypt_mod_var_pos_arg.bal",
                         22, 22, Source.BUILT_IN);
-                Assertions.assertIssue(issues, index++, "ballerina/crypto:2", "pbkdf2_func_var_named_arg.bal",
+                Assertions.assertIssue(issues, 12, "ballerina/crypto:2", "pbkdf2_func_var_named_arg.bal",
                         21, 21, Source.BUILT_IN);
-                Assertions.assertIssue(issues, index++, "ballerina/crypto:2", "pbkdf2_func_var_pos_arg.bal",
+                Assertions.assertIssue(issues, 13, "ballerina/crypto:2", "pbkdf2_func_var_pos_arg.bal",
                         21, 21, Source.BUILT_IN);
-                Assertions.assertIssue(issues, index++, "ballerina/crypto:2", "pbkdf2_inline_named_arg.bal",
+                Assertions.assertIssue(issues, 14, "ballerina/crypto:2", "pbkdf2_inline_named_arg.bal",
                         20, 20, Source.BUILT_IN);
-                Assertions.assertIssue(issues, index++, "ballerina/crypto:2", "pbkdf2_inline_pos_arg.bal",
+                Assertions.assertIssue(issues, 15, "ballerina/crypto:2", "pbkdf2_inline_pos_arg.bal",
                         20, 20, Source.BUILT_IN);
-                Assertions.assertIssue(issues, index++, "ballerina/crypto:2", "pbkdf2_mod_var_named_arg.bal",
+                Assertions.assertIssue(issues, 16, "ballerina/crypto:2", "pbkdf2_mod_var_named_arg.bal",
+                        22, 22, Source.BUILT_IN);
+                Assertions.assertIssue(issues, 17, "ballerina/crypto:2", "pbkdf2_mod_var_pos_arg.bal",
                         22, 22, Source.BUILT_IN);
-                Assertions.assertIssue(issues, index, "ballerina/crypto:2", "pbkdf2_mod_var_pos_arg.bal",
+                break;
+            case AVOID_REUSING_COUNTER_MODE_VECTORS:
+                Assert.assertEquals(issues.size(), 6);
+                Assertions.assertIssue(issues, 0, "ballerina/crypto:3", "func_var_named_arg.bal",
                         22, 22, Source.BUILT_IN);
-            }
-
-            // validate the output
-            String output = console.toString(UTF_8);
-            String jsonOutput = extractJson(output);
-            String expectedOutput = Files.readString(EXPECTED_OUTPUT_DIRECTORY.resolve(targetPackageName + ".json"));
-            assertJsonEqual(jsonOutput, expectedOutput);
-            console.reset();
+                Assertions.assertIssue(issues, 1, "ballerina/crypto:3", "func_var_pos_arg.bal",
+                        22, 22, Source.BUILT_IN);
+                Assertions.assertIssue(issues, 2, "ballerina/crypto:3", "inline_named_arg.bal",
+                        21, 21, Source.BUILT_IN);
+                Assertions.assertIssue(issues, 3, "ballerina/crypto:3", "inline_pos_arg.bal",
+                        21, 21, Source.BUILT_IN);
+                Assertions.assertIssue(issues, 4, "ballerina/crypto:3", "mod_var_named_arg.bal",
+                        23, 23, Source.BUILT_IN);
+                Assertions.assertIssue(issues, 5, "ballerina/crypto:3", "mod_var_pos_arg.bal",
+                        23, 23, Source.BUILT_IN);
+                break;
+            default:
+                Assert.fail("Unhandled rule in validateIssues: " + rule);
+                break;
         }
     }
 
+    private void validateOutput(ByteArrayOutputStream console, String targetPackageName) throws IOException {
+        String output = console.toString(UTF_8);
+        String jsonOutput = extractJson(output);
+        String expectedOutput = Files.readString(EXPECTED_OUTPUT_DIRECTORY.resolve(targetPackageName + ".json"));
+        assertJsonEqual(jsonOutput, expectedOutput);
+    }
+
     private static ProjectEnvironmentBuilder getEnvironmentBuilder() {
         Environment environment = EnvironmentBuilder.getBuilder().setBallerinaHome(DISTRIBUTION_PATH).build();
         return ProjectEnvironmentBuilder.getBuilder(environment);
@@ -172,16 +218,15 @@ private void assertJsonEqual(String actual, String expected) {
     }
 
     private static String normalizeString(String json) {
-        String normalizedJson = json.replaceAll("\\s*\"\\s*", "\"")
-                .replaceAll("\\s*:\\s*", ":")
-                .replaceAll("\\s*,\\s*", ",")
-                .replaceAll("\\s*\\{\\s*", "{")
-                .replaceAll("\\s*}\\s*", "}")
-                .replaceAll("\\s*\\[\\s*", "[")
-                .replaceAll("\\s*]\\s*", "]")
-                .replaceAll("\n", "")
-                .replaceAll(":\".*" + MODULE_BALLERINA_CRYPTO, ":\"" + MODULE_BALLERINA_CRYPTO);
-        return isWindows() ? normalizedJson.replaceAll("/", "\\\\\\\\") : normalizedJson;
+        try {
+            ObjectMapper mapper = new ObjectMapper().configure(SerializationFeature.ORDER_MAP_ENTRIES_BY_KEYS, true);
+            JsonNode node = mapper.readTree(json);
+            String normalizedJson = mapper.writeValueAsString(node)
+                    .replaceAll(":\".*" + MODULE_BALLERINA_CRYPTO, ":\"" + MODULE_BALLERINA_CRYPTO);
+            return isWindows() ? normalizedJson.replace("/", "\\\\") : normalizedJson;
+        } catch (Exception ignore) {
+            return json;
+        }
     }
 
     private static boolean isWindows() {

@@ -0,0 +1,8 @@
+[package]
+org = "wso2"
+name = "rule3"
+version = "0.1.0"
+distribution = "2201.12.3"
+
+[build-options]
+observabilityIncluded = true
@@ -0,0 +1,24 @@
+// Copyright (c) 2025 WSO2 LLC. (http://www.wso2.org)
+//
+// WSO2 LLC. licenses this file to you under the Apache License,
+// Version 2.0 (the "License"); you may not use this file except
+// in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+import ballerina/crypto;
+
+public function funcVarNamedArg(string data) returns error? {
+    byte[16] initialVector = [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16];
+    byte[16] key = [16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1];
+    byte[] dataBytes = data.toBytes();
+    byte[] _ = check crypto:encryptAesGcm(dataBytes, key, iv = initialVector);
+}
@@ -0,0 +1,24 @@
+// Copyright (c) 2025 WSO2 LLC. (http://www.wso2.org)
+//
+// WSO2 LLC. licenses this file to you under the Apache License,
+// Version 2.0 (the "License"); you may not use this file except
+// in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+import ballerina/crypto;
+
+public function funcVarPosArg(string data) returns error? {
+    byte[16] initialVector = [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16];
+    byte[16] key = [16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1];
+    byte[] dataBytes = data.toBytes();
+    byte[] _ = check crypto:encryptAesGcm(dataBytes, key, initialVector);
+}
@@ -0,0 +1,23 @@
+// Copyright (c) 2025 WSO2 LLC. (http://www.wso2.org)
+//
+// WSO2 LLC. licenses this file to you under the Apache License,
+// Version 2.0 (the "License"); you may not use this file except
+// in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+import ballerina/crypto;
+
+public function inlineNamedArg(string data) returns error? {
+    byte[16] key = [16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1];
+    byte[] dataBytes = data.toBytes();
+    byte[] _ = check crypto:encryptAesGcm(dataBytes, key, iv = [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16]);
+}
@@ -0,0 +1,23 @@
+// Copyright (c) 2025 WSO2 LLC. (http://www.wso2.org)
+//
+// WSO2 LLC. licenses this file to you under the Apache License,
+// Version 2.0 (the "License"); you may not use this file except
+// in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+import ballerina/crypto;
+
+public function inlinePosArg(string data) returns error? {
+    byte[16] key = [16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1];
+    byte[] dataBytes = data.toBytes();
+    byte[] _ = check crypto:encryptAesGcm(dataBytes, key, [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16]);
+}
@@ -0,0 +1,25 @@
+// Copyright (c) 2025 WSO2 LLC. (http://www.wso2.org)
+//
+// WSO2 LLC. licenses this file to you under the Apache License,
+// Version 2.0 (the "License"); you may not use this file except
+// in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+import ballerina/crypto;
+
+byte[16] initialVectorModNamed = [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16];
+
+public function modVarNamedArg(string data) returns error? {
+    byte[16] key = [16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1];
+    byte[] dataBytes = data.toBytes();
+    byte[] _ = check crypto:encryptAesGcm(dataBytes, key, iv = initialVectorModNamed);
+}