Apply suggestions from code review

added the changes Co-authored-by: Carlos Holguera <perezholguera@gmail.com>
OWASP · Sep 3, 2024 · be89843 · be89843
1 parent fe8af19
commit be89843
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 12 deletions.
diff --git a/demos/android/MASVS-CRYPTO/MASTG-DEMO-0015/MASTG-DEMO-0015.md b/demos/android/MASVS-CRYPTO/MASTG-DEMO-0015/MASTG-DEMO-0015.md
@@ -25,4 +25,8 @@ The rule has identified one instance in the code file where hardcoded keys is us
 
 ### Evaluation
 
-The test fails because a hardcoded AES key was found in the code.
+The test fails because hardcoded cryptographic keys are present in the code. Specifically:
+
+- On line 24, a byte array that represents a cryptographic key is directly hardcoded into the source code.
+- This hardcoded key is then used on line 26 to create a `SecretKeySpec`.
+- Additionally, on line 30, another instance of hardcoded data is used to create a separate `SecretKeySpec`.
diff --git a/demos/android/MASVS-CRYPTO/MASTG-DEMO-0015/run.sh b/demos/android/MASVS-CRYPTO/MASTG-DEMO-0015/run.sh
@@ -1 +1 @@
- semgrep -c ../rules/mastg-android-hardcoded-crypto-keys-usage.yml ./MastgTest_reversed.java --text -o output.txt  
+NO_COLOR=true semgrep -c ../../../../rules/mastg-android-hardcoded-crypto-keys-usage.yml ./MastgTest_reversed.java --text -o output.txt
diff --git a/rules/mastg-android-hardcoded-crypto-keys-usage.yml b/rules/mastg-android-hardcoded-crypto-keys-usage.yml
@@ -1,11 +1,11 @@
 rules:
-  - id: hardcoded-crypto-key-test
+  - id: mastg-android-hardcoded-crypto-keys-usage
+    severity: WARNING
     languages:
       - java
-    severity: WARNING
     metadata:
-      summary: This rule scans for hardcoded getting used.
-    message: Hardcoded cryptographic keys are found in use.
+      summary: This rule looks for hardcoded keys in use.
+    message: "[MASVS-CRYPTO-1] Hardcoded cryptographic keys found in use."
     pattern-either:
       - pattern: SecretKeySpec $_ = new SecretKeySpec($KEY, $ALGO);
       - pattern: |-

diff --git a/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0210.md b/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0210.md
@@ -8,19 +8,16 @@ weakness: MASWE-0014
 
 ## Overview
 
-In this test case, we will look for the use of hardcoded keys in android applications. To do this, we need to focus on the cryptographic implementations of hardcoded keys. The Java Cryptography Architecture (JCA) provides SecretKeySpec class which allows you to create a secret key from a byte array.
-
-[SecretKeySpec](https://developer.android.com/reference/javax/crypto/spec/SecretKeySpec)
-For more information, you can consult the MASTG section about [Static Analysis](https://mas.owasp.org/MASTG/tests/android/MASVS-CRYPTO/MASTG-TEST-0013/#overview)
+In this test case, we will look for the use of hardcoded keys in Android applications. To do this, we need to focus on the cryptographic implementations of hardcoded keys. The Java Cryptography Architecture (JCA) provides the [`SecretKeySpec`](https://developer.android.com/reference/javax/crypto/spec/SecretKeySpec) class, which allows you to create a [`SecretKey`](https://developer.android.com/reference/javax/crypto/SecretKey) from a byte array.
 
 ## Steps
 
 1. Run a static analysis tool such as @MASTG-TOOL-0110 on the code and look for uses of the hardcoded cryptographic keys.
 
 ## Observation
 
-The output should contain a list of locations where hardcoded keys are getting used.
+The output should contain a list of locations where hardcoded keys are used.
 
 ## Evaluation
 
-The test case fails if you can find the hardcoded key is just stored and not used by the application
+The test case fails if you find any hardcoded keys.