Rules that flag potential security flaws.
Edit me

HardCodedCryptoKey

Since: PMD 6.4.0

Priority: Medium (3)

Do not use hard coded values for cryptographic operations. Please store keys outside of source code.

This rule is defined by the following Java class: net.sourceforge.pmd.lang.java.rule.security.HardCodedCryptoKeyRule

Example(s):

public class Foo {
    void good() {
        SecretKeySpec secretKeySpec = new SecretKeySpec(Properties.getKey(), "AES");
    }

    void bad() {
        SecretKeySpec secretKeySpec = new SecretKeySpec("my secret here".getBytes(), "AES");
    }
}

Use this rule by referencing it:

<rule ref="category/java/security.xml/HardCodedCryptoKey" />

InsecureCryptoIv

Since: PMD 6.3.0

Priority: Medium (3)

Do not use hard coded initialization vector in cryptographic operations. Please use a randomly generated IV.

This rule is defined by the following Java class: net.sourceforge.pmd.lang.java.rule.security.InsecureCryptoIvRule

Example(s):

public class Foo {
    void good() {
        SecureRandom random = new SecureRandom();
        byte iv[] = new byte[16];
        random.nextBytes(bytes);
    }

    void bad() {
        byte[] iv = new byte[] { 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, };
    }

    void alsoBad() {
        byte[] iv = "secret iv in here".getBytes();
    }
}

Use this rule by referencing it:

<rule ref="category/java/security.xml/InsecureCryptoIv" />

TypeResTest

Since: PMD 7.0.0

Priority: Medium (3)

This is just a toy rule that counts the proportion of resolved types in a codebase, not meant as a real rule.

It is used to test the capability of PMD’s own type resolution.

This rule is defined by the following Java class: net.sourceforge.pmd.lang.java.rule.security.TypeResTestRule

Use this rule by referencing it:

<rule ref="category/java/security.xml/TypeResTest" />