SONARJAVA-6440 S2245: Add security-context heuristic to reduce false positives

its/autoscan/src/test/resources/autoscan/diffs/diff_S1874.json

@@ -1,6 +1,6 @@
 {
   "ruleKey": "S1874",
   "hasTruePositives": true,
-  "falseNegatives": 257,
+  "falseNegatives": 259,
   "falsePositives": 0
 }

its/autoscan/src/test/resources/autoscan/diffs/diff_S2119.json

@@ -1,6 +1,6 @@
 {
   "ruleKey": "S2119",
   "hasTruePositives": true,
-  "falseNegatives": 2,
+  "falseNegatives": 3,
   "falsePositives": 0
 }

its/autoscan/src/test/resources/autoscan/diffs/diff_S2245.json

@@ -1,6 +1,6 @@
 {
   "ruleKey": "S2245",
   "hasTruePositives": true,
-  "falseNegatives": 26,
+  "falseNegatives": 17,
   "falsePositives": 0
 }

its/ruling/src/test/resources/eclipse-jetty-similar-to-main/java-S2245.json

@@ -1,7 +1,4 @@
 {
-"org.eclipse.jetty:jetty-project:jetty-server/src/main/java/org/eclipse/jetty/server/ShutdownMonitor.java": [
-287
-],
 "org.eclipse.jetty:jetty-project:jetty-server/src/main/java/org/eclipse/jetty/server/session/DefaultSessionIdManager.java": [
 369
 ]

its/ruling/src/test/resources/eclipse-jetty/java-S2245.json

@@ -1,7 +1,4 @@
 {
-"org.eclipse.jetty:jetty-project:jetty-server/src/main/java/org/eclipse/jetty/server/ShutdownMonitor.java": [
-287
-],
 "org.eclipse.jetty:jetty-project:jetty-server/src/main/java/org/eclipse/jetty/server/session/DefaultSessionIdManager.java": [
 369
 ]

its/ruling/src/test/resources/mall/java-S2245.json

@@ -1,7 +1,4 @@
 {
-"com.macro.mall:mall:mall-portal/src/main/java/com/macro/mall/portal/service/impl/UmsMemberCouponServiceImpl.java": [
-91
-],
 "com.macro.mall:mall:mall-portal/src/main/java/com/macro/mall/portal/service/impl/UmsMemberServiceImpl.java": [
 112
 ]

its/ruling/src/test/resources/sonar-server/java-S2245.json

@@ -1,5 +1 @@
-{
-"org.sonarsource.sonarqube:sonar-server:src/main/java/org/sonar/server/es/RecoveryIndexer.java": [
-92
-]
-}
+{}

java-checks-test-sources/default/src/main/java/checks/PseudoRandomCheckCryptoImportSample.java

@@ -0,0 +1,22 @@
+package checks;
+
+import java.util.Random;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+
+// SONARJAVA-6440 Part 1: file imports `org.bouncycastle.*` -> all PRNG calls flagged
+// regardless of any per-scope keyword check.
+class PseudoRandomCheckCryptoImportSample {
+
+  // BouncyCastle reference so the import is used.
+  static final BouncyCastleProvider PROVIDER = new BouncyCastleProvider();
+
+  void noKeywordsInScope() {
+    int counter = 0;
+    Random r = new Random(); // Noncompliant {{Make sure that using this pseudorandom number generator is safe here.}}
+    counter += r.nextInt();
+  }
+
+  double anotherNeutralMethod() {
+    return Math.random(); // Noncompliant
+  }
+}

java-checks-test-sources/default/src/main/java/checks/PseudoRandomCheckFieldScopeSample.java

@@ -0,0 +1,33 @@
+package checks;
+
+import java.util.Random;
+
+// SONARJAVA-6440: no crypto import. Random call appears outside any method (field initializer
+// and static initializer). Scope falls back to the enclosing class; the class identifiers
+// drive the keyword check.
+
+class PseudoRandomCheckFieldScopeSampleSecure {
+  // Class name contains keyword: `TokenGenerator` tokens -> [token, generator]. `token` matches.
+  static class TokenGenerator {
+    static final Random RNG = new Random(); // Noncompliant {{Make sure that using this pseudorandom number generator is safe here.}}
+  }
+
+  // No method scope, but a sibling field name contains a security keyword.
+  static class Holder {
+    String password;
+    static final Random R = new Random(); // Noncompliant
+  }
+
+  // Static initializer: no enclosing method; class identifiers carry the keyword.
+  static class CipherBundle {
+    static Random r;
+    static {
+      r = new Random(); // Noncompliant
+    }
+  }
+}
+
+class PseudoRandomCheckFieldScopeSampleNeutral {
+  // No method, no security keyword anywhere in the enclosing class -> Compliant.
+  static final Random R = new Random(); // Compliant
+}

java-checks-test-sources/default/src/main/java/checks/PseudoRandomCheckNoContextSample.java

@@ -0,0 +1,30 @@
+package checks;
+
+import java.util.Random;
+import java.util.concurrent.ThreadLocalRandom;
+import org.apache.commons.lang.math.JVMRandom;
+import org.apache.commons.lang.math.RandomUtils;
+import org.apache.commons.lang.RandomStringUtils;
+
+// SONARJAVA-6440: no crypto import, no security-keyword identifiers in scope ->
+// the security-context heuristic suppresses the issue.
+class PseudoRandomCheckNoContextSample {
+
+  void neutralMethod() {
+    Random r = new Random(); // Compliant
+    int v = r.nextInt();
+
+    JVMRandom j = new JVMRandom(); // Compliant
+    double d1 = j.nextDouble();
+
+    double d2 = Math.random(); // Compliant
+    int v2 = ThreadLocalRandom.current().nextInt(); // Compliant
+
+    float f1 = RandomUtils.nextFloat(); // Compliant
+    String s1 = RandomStringUtils.random(1); // Compliant
+  }
+
+  int doWork(int input) {
+    return input + 1;
+  }
+}

java-checks-test-sources/default/src/main/java/checks/PseudoRandomCheckSecurityKeywordsSample.java

@@ -0,0 +1,84 @@
+package checks;
+
+import java.util.Random;
+import java.util.concurrent.ThreadLocalRandom;
+import org.apache.commons.lang3.RandomUtils;
+import org.apache.commons.lang3.RandomStringUtils;
+
+// SONARJAVA-6440: no crypto import. Security keywords reached via per-scope identifier scan.
+class PseudoRandomCheckSecurityKeywordsSample {
+
+  // --- Method-scope keyword tokenized from camelCase (`userPassword` -> [user, password]). ---
+  void camelCaseLocal() {
+    String userPassword = "x";
+    Random r = new Random(); // Noncompliant {{Make sure that using this pseudorandom number generator is safe here.}}
+    r.nextInt();
+  }
+
+  // --- Method-scope keyword tokenized from snake_case (`user_token` -> [user, token]). ---
+  void snakeCaseLocal() {
+    String user_token = "x";
+    double d = Math.random(); // Noncompliant
+  }
+
+  // --- Method-scope keyword from all-uppercase (`HMAC` -> [hmac]). ---
+  void upperCaseLocal() {
+    final int HMAC = 32;
+    int v = ThreadLocalRandom.current().nextInt(); // Noncompliant
+  }
+
+  // --- Keyword in the method name itself. ---
+  void encryptPayload() {
+    float f = RandomUtils.nextFloat(); // Noncompliant
+  }
+
+  // --- Keyword in a parameter name. ---
+  String randomFromToken(String token) {
+    return RandomStringUtils.random(1); // Noncompliant
+  }
+
+  // --- Whole-identifier match (`password`). ---
+  void wholeIdentifierMatch() {
+    String password = "x";
+    Random r = new Random(); // Noncompliant
+  }
+
+  // --- No keyword in scope: must NOT be flagged (heuristic suppresses it). ---
+  void unrelatedScope() {
+    int counter = 0;
+    Random r = new Random(); // Compliant
+    counter += r.nextInt();
+  }
+
+  // --- camelCase that DOES NOT match keyword after tokenization. ---
+  // `randomBytes` tokenizes to [random, bytes]; neither is in the keyword set
+  // (the keyword `randombytes` only matches an all-lowercase or all-uppercase literal).
+  void splitRandomBytes() {
+    byte[] randomBytes = new byte[16];
+    Random r = new Random(); // Compliant
+    r.nextBytes(randomBytes);
+  }
+
+// --- Digit-suffixed all-uppercase crypto acronym: documents a known tokenizer gap. ---
+// `AES256_KEY` splits on `_` to ["AES256", "KEY"]. `AES256` has no lowercase letter so
+// isAllUppercaseWithLetter returns true and it lowercases to `aes256` as a single token
+// (NOT `aes` + `256`). The keyword set holds `aes`, not `aes256`, so no match fires.
+// `KEY` -> `[key]`, which is not in the Java security-keyword set.
+// Intentional: splitting letters from trailing digits is out of scope here; tracked under APPSEC-3004.
+  void digitSuffixedAcronym() {
+    final int AES256_KEY = 32;
+    Random r = new Random(); // Compliant
+    r.nextInt(AES256_KEY);
+  }
+}
+
+// --- Inner-class scope isolation. ---
+// The outer class name `TokenAware` contains the security keyword `token`, but the
+// PRNG call lives in an inner class with neutral identifiers. findDeclarationScope
+// returns the inner ClassTree first, so the outer's keyword is NOT in scope.
+class TokenAware {
+  static class NeutralInner {
+    static final Random R = new Random(); // Compliant
+  }
+}
+

java-checks-test-sources/default/src/main/java/checks/PseudoRandomCheckStaticImportSample.java

@@ -0,0 +1,19 @@
+package checks;
+
+import static javax.crypto.Cipher.ENCRYPT_MODE;
+
+import java.util.Random;
+
+// SONARJAVA-6440 Part 1: static import of a crypto class still parses as Tree.Kind.IMPORT,
+// so the concatenated name `javax.crypto.Cipher.ENCRYPT_MODE` matches the `javax.crypto.`
+// prefix and the file-level crypto-import gate fires.
+class PseudoRandomCheckStaticImportSample {
+
+  static final int MODE = ENCRYPT_MODE; // retain the static import
+
+  void noKeywordsInScope() {
+    int counter = 0;
+    Random r = new Random(); // Noncompliant {{Make sure that using this pseudorandom number generator is safe here.}}
+    counter += r.nextInt();
+  }
+}

java-checks-test-sources/default/src/main/java/checks/PseudoRandomCheckWildcardImportSample.java

@@ -0,0 +1,22 @@
+package checks;
+
+import java.security.*;
+import java.util.Random;
+
+// SONARJAVA-6440 Part 1: wildcard import `java.security.*` -> all PRNG calls flagged.
+// ExpressionsHelper.concatenate returns "java.security.*", which still starts with the
+// "java.security." prefix, so the file-level crypto-import check fires.
+class PseudoRandomCheckWildcardImportSample {
+
+  static final KeyPair PROVIDER_KEYPAIR = null; // forces the wildcard import to be retained
+
+  void noKeywordsInScope() {
+    int counter = 0;
+    Random r = new Random(); // Noncompliant {{Make sure that using this pseudorandom number generator is safe here.}}
+    counter += r.nextInt();
+  }
+
+  double anotherNeutralMethod() {
+    return Math.random(); // Noncompliant
+  }
+}