search

IBM / sonar-cryptography

This repository contains a SonarQube Plugin that detects cryptographic assets in source code and generates CBOM.
Apache License 2.0
18 stars 1 forks source link

Default enricher adds library-specific information #11

Open n1ckl0sk0rtge opened 1 month ago

n1ckl0sk0rtge commented 1 month ago

The translation of the Python example CryptographyRSASign1Test returns the following result without using the default enricher (com.ibm.enricher.Enricher).

DEBUG [translation] (PrivateKey) RSA
DEBUG [translation]    └─ (Algorithm) RSA
DEBUG [translation]       └─ (KeyGeneration) KEYGENERATION
DEBUG [translation]       └─ (KeyLength) 2048
DEBUG [translation]    └─ (KeyLength) 2048
DEBUG [translation]    └─ (Signature) RSASSA-PSS
DEBUG [translation]       └─ (MessageDigest) SHA384
DEBUG [translation]       └─ (Sign) SIGN
DEBUG [translation]       └─ (Algorithm) RSA
DEBUG [translation]          └─ (KeyLength) 2048
DEBUG [translation]       └─ (ProbabilisticSignatureScheme) PSS
DEBUG [translation]          └─ (MaskGenerationFunction) MGF1
DEBUG [translation]             └─ (MessageDigest) SHA256

When adding the default enricher, the result becomes:

DEBUG [translation] (PrivateKey) RSA
DEBUG [translation]    └─ (Algorithm) RSA
DEBUG [translation]       └─ (KeyGeneration) KEYGENERATION
DEBUG [translation]       └─ (KeyLength) 2048
DEBUG [translation]       └─ (Oid) 1.2.840.113549.1.1.1
DEBUG [translation]    └─ (KeyLength) 2048
DEBUG [translation]    └─ (Signature) RSASSA-PSS
DEBUG [translation]       └─ (MessageDigest) SHA384
DEBUG [translation]       └─ (Sign) SIGN
DEBUG [translation]       └─ (Algorithm) RSA
DEBUG [translation]          └─ (KeyLength) 2048
DEBUG [translation]          └─ (Oid) 1.2.840.113549.1.1.1
DEBUG [translation]       └─ (ProbabilisticSignatureScheme) PSS
DEBUG [translation]          └─ (MaskGenerationFunction) MGF1
DEBUG [translation]             └─ (MessageDigest) SHA256
DEBUG [translation]       └─ (SaltLength) 160  <––––––––––––––––––
DEBUG [translation]       └─ (MaskGenerationFunction) MGF1  <–––––
DEBUG [translation]          └─ (MessageDigest) SHA-1 <–––––––––––
DEBUG [translation]             └─ (BlockSize) 512  <–––––––––––––
DEBUG [translation]             └─ (KeyLength) 512  <–––––––––––––
DEBUG [translation]             └─ (DigestSize) 160  <––––––––––––
DEBUG [translation]             └─ (Oid) 1.3.14.3.2.26  <–––––––––
DEBUG [translation]       └─ (Oid) 1.2.840.113549.1.1.10

As expected, various OIDs have been added. However, the lines above with arrows show some JCA-specific information which has been added and is not necessarily true in the Python implementation.

The default enricher should be restrained to enrich translations with OIDs, and the remaining enrichments should be moved to a language-specific enricher class (the Python implementation uses PythonEnricher.java for example).