SONARJAVA-4895: Factor out logic for detecting dynamically generated byte arrays into separate class

anton-haubner-sonarsource · anton-haubner-sonarsource · commit 2b8782e7535f · 2025-10-22T13:58:55.000+02:00
This will allow us to extend the logic in follow up commits so that
user-defined safe factory methods are taken into account.
diff --git a/java-checks/src/main/java/org/sonar/java/checks/security/CipherBlockChainingCheck.java b/java-checks/src/main/java/org/sonar/java/checks/security/CipherBlockChainingCheck.java
@@ -38,6 +38,7 @@
 
 @Rule(key = "S3329")
 public class CipherBlockChainingCheck extends AbstractMethodDetection {
+  private final SecureByteArrayGeneratorDetector secureByteArrayGeneratorDetector = new SecureByteArrayGeneratorDetector();
 
   private static final MethodMatchers SECURE_RANDOM_GENERATE_SEED = MethodMatchers.create()
     .ofTypes("java.security.SecureRandom")
@@ -54,7 +55,7 @@ protected MethodMatchers getMethodInvocationMatchers() {
 
   @Override
   protected void onConstructorFound(NewClassTree newClassTree) {
-    if (newClassTree.arguments().isEmpty() || isDynamicallyGenerated(newClassTree.arguments().get(0))) {
+    if (newClassTree.arguments().isEmpty() || secureByteArrayGeneratorDetector.isDynamicallyGenerated(newClassTree.arguments().get(0))) {
       return;
     }
 
@@ -72,45 +73,6 @@ protected void onConstructorFound(NewClassTree newClassTree) {
     }
   }
 
-  private static boolean isDynamicallyGenerated(ExpressionTree tree) {
-    if (tree instanceof IdentifierTree identifierTree) {
-      Symbol symbol = identifierTree.symbol();
-      if (symbol.isParameter()) {
-        return true;
-      }
-    }
-
-    return findConstructingMethods(tree)
-      .anyMatch(SECURE_RANDOM_GENERATE_SEED::matches);
-  }
-
-  private static Stream<MethodInvocationTree> findConstructingMethods(ExpressionTree expressionTree) {
-    if (expressionTree instanceof MethodInvocationTree methodInvocationTree) {
-      return Stream.of(methodInvocationTree);
-    }
-
-    if (!(expressionTree instanceof IdentifierTree identifierTree) || !(identifierTree.symbol() instanceof Symbol.VariableSymbol variableSymbol)) {
-      return Stream.empty();
-    }
-
-    var declaration = variableSymbol.declaration();
-    if (declaration == null) {
-      return Stream.empty();
-    }
-
-    var initializerStream = Stream.<MethodInvocationTree>of();
-    if (declaration.initializer() instanceof MethodInvocationTree methodInvocationTree) {
-      initializerStream = Stream.of(methodInvocationTree);
-    }
-
-    var reassignments = getReassignments(declaration, variableSymbol.usages())
-      .stream()
-      .map(assignmentExpressionTree -> assignmentExpressionTree.expression() instanceof MethodInvocationTree methodInvocationTree ? methodInvocationTree : null)
-      .filter(Objects::nonNull);
-
-    return Stream.concat(initializerStream, reassignments);
-  }
-
   private static class SecureInitializationFinder extends BaseTreeVisitor {
 
     private boolean hasBeenSecurelyInitialized = false;
@@ -241,4 +203,45 @@ private static Symbol ivSymbol(NewClassTree newClassTree) {
       return Symbol.UNKNOWN_SYMBOL;
     }
   }
+
+  private static class SecureByteArrayGeneratorDetector {
+    public boolean isDynamicallyGenerated(ExpressionTree tree) {
+      if (tree instanceof IdentifierTree identifierTree) {
+        Symbol symbol = identifierTree.symbol();
+        if (symbol.isParameter()) {
+          return true;
+        }
+      }
+
+      return findConstructingMethods(tree)
+        .anyMatch(SECURE_RANDOM_GENERATE_SEED::matches);
+    }
+
+    private static Stream<MethodInvocationTree> findConstructingMethods(ExpressionTree expressionTree) {
+      if (expressionTree instanceof MethodInvocationTree methodInvocationTree) {
+        return Stream.of(methodInvocationTree);
+      }
+
+      if (!(expressionTree instanceof IdentifierTree identifierTree) || !(identifierTree.symbol() instanceof Symbol.VariableSymbol variableSymbol)) {
+        return Stream.empty();
+      }
+
+      var declaration = variableSymbol.declaration();
+      if (declaration == null) {
+        return Stream.empty();
+      }
+
+      var initializerStream = Stream.<MethodInvocationTree>of();
+      if (declaration.initializer() instanceof MethodInvocationTree methodInvocationTree) {
+        initializerStream = Stream.of(methodInvocationTree);
+      }
+
+      var reassignments = getReassignments(declaration, variableSymbol.usages())
+        .stream()
+        .map(assignmentExpressionTree -> assignmentExpressionTree.expression() instanceof MethodInvocationTree methodInvocationTree ? methodInvocationTree : null)
+        .filter(Objects::nonNull);
+
+      return Stream.concat(initializerStream, reassignments);
+    }
+  }
 }
