Open
Description
Hi!
I recently did a test with CodeQL on a new Kotlin project, and I included CWE-1204 to get a detection.
I copied the example from documentation and test case. I then used IntelliJ IDEA to convert it from Java to Kotlin.
@Throws(Exception::class)
fun encryptWithZeroStaticIvByteArray(key: ByteArray?, plaintext: ByteArray?): ByteArray {
val iv = ByteArray(16) // $Source
val ivSpec = GCMParameterSpec(128, iv)
val keySpec = SecretKeySpec(key, "AES")
val cipher = Cipher.getInstance("AES/GCM/PKCS5PADDING")
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec) // $Alert
cipher.update(plaintext)
return cipher.doFinal()
}I got no detections, and assumed it was an issue with Actions setup, after debugging I decided to test out CWE-117 which I've heard works on Kotlin. After I ran the CI/CD setup it was detected.
I was recommended to try out example from CWE-1204 using a new Java project. After running the CI/CD setup, it was detected.
I spent some time trying to figure out why, decompiling the code, looking at logs. I then looked at sarif file, and I found following rule:
"ruleId": "java/telemetry/unsupported-external-api",
"value": 4,
"message": { "text": "kotlin.ByteArray#ByteArray(int)" } Questions:
- Is there a known list which queries have been tested and works with Kotlin?
- or a list of queries that is not working with Kotlin?
- Is there anything I can do while waiting for queries to be fully compatible with Kotlin?__