This rule aims to prevent the use of hardcoded keys or initialization vectors (IVs) in cryptographic operations. Hardcoding sensitive cryptographic material directly in the source code poses significant security risks, as it makes keys easily discoverable and vulnerable to unauthorized access.
To comply with this rule, developers should generate encryption keys and IVs dynamically at runtime using secure methods or retrieve them securely from protected storage mechanisms. For example, instead of Blob key = Blob.valueOf('0000000000000000');, a compliant approach would be Blob key = Blob.valueOf(getRandomValue()); where getRandomValue() produces a secure, random key.
Non-Compliant Code Examples
class NotCompliant {
public void notCompliant() {
Blob data = Blob.valueOf('some data');
Blob encrypted = Crypto.encrypt('AES128', '0000000000000000', 'Hardcoded IV 123', data);
}
}
class NotCompliant {
public void notCompliant() {
Blob encryptedText = Blob.valueOf('Some encrypted cipher text');
Blob IV = Blob.valueOf(generateEncryptionIV());
Blob key = Blob.valueOf('0000000000000000');
Blob encrypted = Crypto.encrypt('AES128', key, IV, data);
}
}
class NotCompliant {
public void notCompliant() {
Blob IV = Blob.valueOf(generateEncryptionIV());
Blob hardCodedKey = Blob.valueOf('0000000000000000');
Blob data = Blob.valueOf('Data to be encrypted');
Blob encrypted = Crypto.encrypt('AES128', hardCodedKey, IV, data);
}
}
class NotCompliant {
public void notCompliant() {
Blob hardCodedIV = Blob.valueOf('Hardcoded IV 123');
Blob key = Blob.valueOf(generateEncryptionKey());
Blob data = Blob.valueOf('Data to be encrypted');
Blob encrypted = Crypto.encrypt('AES128', key, hardCodedIV, data);
}
}
class NotCompliant {
public void notCompliant() {
Blob hardCodedIV = Blob.valueOf('Hardcoded IV 123');
Blob hardCodedKey = Blob.valueOf('0000000000000000');
Blob data = Blob.valueOf('Data to be encrypted');
Blob encrypted = Crypto.encrypt('AES128', hardCodedKey, hardCodedIV, data);
}
}
Compliant Code Examples
class Compliant {
public void compliantExample() {
Blob encryptedText = Blob.valueOf('foobar');
Blob IV = Blob.valueOf(generateEncryptionIV());
Blob key = Blob.valueOf(getRandomValue());
Blob encrypted = Crypto.encrypt('AES128', key, IV, data);
}
}
class NotCompliant {
public void goodCryptoEncryption() {
Blob IV = Blob.valueOf(getRandomValue());
Blob key = Blob.valueOf(getRandomValue());
Blob data = Blob.valueOf('Data to be encrypted');
Blob encrypted = Crypto.encrypt('AES128', key, IV, data);
}
}
Seamless integrations. Try Datadog Code Security
Datadog Code Security
Try this rule and analyze your code with Datadog Code Security
How to use this rule
1
2
rulesets:- apex-security # Rules to enforce Apex security.
Create a static-analysis.datadog.yml with the content above at the root of your repository
Use our free IDE Plugins or add Code Security scans to your CI pipelines