Review

Detector:	Tikanga
Target:	project ' wss4j1 ' version 2.0.1
Misuse:	misuse ' SV_CVE_15_0226 '
Tags:

Misuse Details

Details about the known misuse from the MUBench dataset.

Description:
Fix Description:	(see diff)
Violations:
In File:	org/apache/wss4j/dom/processor/EncryptedKeyProcessor.java
In Method:	getRandomKey(List, Document, WSDocInfo)
Code with Misuse:	class EncryptedKeyProcessor { /** * Generates a random secret key using the algorithm specified in the * first DataReference URI * * @param dataRefURIs * @param doc * @param wsDocInfo * @throws WSSecurityException / private static byte[] getRandomKey(List<String> dataRefURIs, Document doc, WSDocInfo wsDocInfo) throws WSSecurityException { try { String alg = "AES"; int size = 128; if (!dataRefURIs.isEmpty()) { String uri = dataRefURIs.iterator().next(); Element ee = ReferenceListProcessor.findEncryptedDataElement(doc, wsDocInfo, uri); String algorithmURI = X509Util.getEncAlgo(ee); alg = JCEMapper.getJCEKeyAlgorithmFromURI(algorithmURI); size = KeyUtils.getKeyLength(algorithmURI); } KeyGenerator kgen = KeyGenerator.getInstance(alg); kgen.init(size 8); SecretKey k = kgen.generateKey(); return k.getEncoded(); } catch (Exception ex) { throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, ex); } } }

Potential Hits

Findings of the detector that identify an anomaly in the same file and method as the known misuse.

Hit	Rank	Confidence	Defect Indicator	Missing Properties	Present Properties	Supporting Objects
?	3	0.98	7.08	AG (Iterator.next () : Object @ (0) => EX EF Iterator.next () : Object @ (0)) AG (RETVAL: List.iterator () : Iterator => AX AF Iterator.hasNext () : boolean @ (0)) AG (Iterator.next () : Object @ (0) => EX EF Iterator.hasNext () : boolean @ (0)) EF Iterator.hasNext () : boolean @ (0) AG (Iterator.hasNext () : boolean @ (0) => EX EF Iterator.hasNext () : boolean @ (0)) AG (Iterator.hasNext () : boolean @ (0) => EX EF Iterator.next () : Object @ (0)) AG (Iterator.hasNext () : boolean @ (0) => AX AF Iterator.next () : Object @ (0)) AF Iterator.hasNext () : boolean @ (0) AG (RETVAL: List.iterator () : Iterator => EX EF Iterator.hasNext () : boolean @ (0))	AF Iterator.next () : Object @ (0) AG (RETVAL: List.iterator () : Iterator => AX AF Iterator.next () : Object @ (0)) AF RETVAL: List.iterator () : Iterator AG (RETVAL: List.iterator () : Iterator => EX EF Iterator.next () : Object @ (0)) EF Iterator.next () : Object @ (0) EF RETVAL: List.iterator () : Iterator	WSDocInfo.addTokenElement (Element, boolean) : void : var #5@Iterator (line 103) WSDocInfo.getResult (String) : WSSecurityEngineResult : var #4@Iterator (line 205) WSDocInfo.getResultByTag (Integer, String) : WSSecurityEngineResult : var #4@Iterator (line 246)