elx/config/pmd/category/java/security.xml

<?xml version="1.0"?>

<ruleset name="Security" xmlns="http://pmd.sourceforge.net/ruleset/2.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://pmd.sourceforge.net/ruleset/2.0.0 https://pmd.sourceforge.io/ruleset_2_0_0.xsd">

    <description>
        Rules that flag potential security flaws.
    </description>

    <rule name="HardCodedCryptoKey"
          since="6.4.0"
          message="Do not use hard coded encryption keys"
          class="net.sourceforge.pmd.lang.java.rule.security.HardCodedCryptoKeyRule"
          externalInfoUrl="${pmd.website.baseurl}/pmd_rules_java_security.html#hardcodedcryptokey">
        <description>
            Do not use hard coded values for cryptographic operations. Please store keys outside of source code.
        </description>
        <priority>3</priority>
        <example>
            <![CDATA[
public class Foo {
    void good() {
        SecretKeySpec secretKeySpec = new SecretKeySpec(Properties.getKey(), "AES");
    }

    void bad() {
        SecretKeySpec secretKeySpec = new SecretKeySpec("my secret here".getBytes(), "AES");
    }
}
]]>
        </example>
    </rule>

    <rule name="InsecureCryptoIv"
          since="6.3.0"
          message="Do not use hard coded initialization vector in crypto operations"
          class="net.sourceforge.pmd.lang.java.rule.security.InsecureCryptoIvRule"
          externalInfoUrl="${pmd.website.baseurl}/pmd_rules_java_security.html#insecurecryptoiv">
        <description>
            Do not use hard coded initialization vector in cryptographic operations. Please use a randomly generated IV.
        </description>
        <priority>3</priority>
        <example>
            <![CDATA[
public class Foo {
    void good() {
        SecureRandom random = new SecureRandom();
        byte iv[] = new byte[16];
        random.nextBytes(bytes);
    }

    void bad() {
        byte[] iv = new byte[] { 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, };
    }

    void alsoBad() {
        byte[] iv = "secret iv in here".getBytes();
    }
}
]]>
        </example>
    </rule>

</ruleset>
update build, pmd 2020-04-01 22:43:19 +02:00			`<?xml version="1.0"?>`

			`<ruleset name="Security" xmlns="http://pmd.sourceforge.net/ruleset/2.0.0"`
			`xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"`
			`xsi:schemaLocation="http://pmd.sourceforge.net/ruleset/2.0.0 https://pmd.sourceforge.io/ruleset_2_0_0.xsd">`

			`<description>`
			`Rules that flag potential security flaws.`
			`</description>`

			`<rule name="HardCodedCryptoKey"`
			`since="6.4.0"`
			`message="Do not use hard coded encryption keys"`
			`class="net.sourceforge.pmd.lang.java.rule.security.HardCodedCryptoKeyRule"`
			`externalInfoUrl="${pmd.website.baseurl}/pmd_rules_java_security.html#hardcodedcryptokey">`
			`<description>`
			`Do not use hard coded values for cryptographic operations. Please store keys outside of source code.`
			`</description>`
			`<priority>3</priority>`
			`<example>`
			`<![CDATA[`
			`public class Foo {`
			`void good() {`
			`SecretKeySpec secretKeySpec = new SecretKeySpec(Properties.getKey(), "AES");`
			`}`

			`void bad() {`
			`SecretKeySpec secretKeySpec = new SecretKeySpec("my secret here".getBytes(), "AES");`
			`}`
			`}`
			`]]>`
			`</example>`
			`</rule>`

			`<rule name="InsecureCryptoIv"`
			`since="6.3.0"`
			`message="Do not use hard coded initialization vector in crypto operations"`
			`class="net.sourceforge.pmd.lang.java.rule.security.InsecureCryptoIvRule"`
			`externalInfoUrl="${pmd.website.baseurl}/pmd_rules_java_security.html#insecurecryptoiv">`
			`<description>`
			`Do not use hard coded initialization vector in cryptographic operations. Please use a randomly generated IV.`
			`</description>`
			`<priority>3</priority>`
			`<example>`
			`<![CDATA[`
			`public class Foo {`
			`void good() {`
			`SecureRandom random = new SecureRandom();`
			`byte iv[] = new byte[16];`
			`random.nextBytes(bytes);`
			`}`

			`void bad() {`
			`byte[] iv = new byte[] { 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, };`
			`}`

			`void alsoBad() {`
			`byte[] iv = "secret iv in here".getBytes();`
			`}`
			`}`
			`]]>`
			`</example>`
			`</rule>`

			`</ruleset>`