SONARJAVA-4895: Find secure IV byte array factories before detecting S3329 violations

anton-haubner-sonarsource · anton-haubner-sonarsource · commit 92a9f13050f5 · 2025-10-22T14:09:07.000+02:00
diff --git a/java-checks/src/main/java/org/sonar/java/checks/security/CipherBlockChainingCheck.java b/java-checks/src/main/java/org/sonar/java/checks/security/CipherBlockChainingCheck.java
@@ -16,7 +16,9 @@
  */
 package org.sonar.java.checks.security;
 
+import java.util.ArrayList;
 import java.util.HashSet;
+import java.util.List;
 import java.util.Objects;
 import java.util.Set;
 import java.util.stream.Stream;
@@ -72,6 +74,38 @@ public class CipherBlockChainingCheck extends AbstractMethodDetection {
     .withAnyParameters()
     .build();
 
+  private @Nullable Tree outermostClass = null;
+
+  @Override
+  public List<Tree.Kind> nodesToVisit() {
+    var baseNodesToVisit = super.nodesToVisit();
+    var nodesToVisit = new ArrayList<Tree.Kind>(baseNodesToVisit.size() + 1);
+    nodesToVisit.addAll(baseNodesToVisit);
+    nodesToVisit.add(Tree.Kind.CLASS);
+
+    return nodesToVisit;
+  }
+
+  @Override
+  public void visitNode(Tree tree) {
+    if (outermostClass == null && tree.is(Tree.Kind.CLASS)) {
+      // We only need run SecureByteArrayFactoryFinder once on the outermost class to find all secure IV byte array factory methods.
+      // If we apply the finder again to nested classes then we explore the same sub-trees multiple times.
+      outermostClass = tree;
+      tree.accept(secureByteArrayFactoryFinder);
+    }
+
+    super.visitNode(tree);
+  }
+
+  @Override
+  public void leaveNode(Tree tree) {
+    if (tree == outermostClass) {
+      secureByteArrayFactoryFinder.clear();
+    }
+    super.leaveNode(tree);
+  }
+
   @Override
   protected MethodMatchers getMethodInvocationMatchers() {
     return MethodMatchers.create().ofTypes("javax.crypto.spec.IvParameterSpec").constructor()
