Missing support for integrity check

• Rule ID: java_lang_missing_integrity_check
• Languages: java
• Source: missing_integrity_check.yml

Description

If a protocol does not include integrity checks ("checksums"), it is impossible to determine whether or not an attacker has interfered with or manipulated the transmitted data. This makes it difficult to confirm whether or not the transmitted data has been tampered with or altered by unauthorized parties (Man-in-the-Middle attack).

Remediations

• Do use encryption schemes that include integrity checks to ensure the data has not been modified during transmission.

  Cipher c = Cipher.getInstance("AES/GCM/PKCS5Padding");

References

• Java Cipher class

Associated CWE

• CWE-353: Missing Support for Integrity Check

OWASP Top 10

• A08:2021 - Software and Data Integrity Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_missing_integrity_check

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_missing_integrity_check