Add functional categories to Java cryptographic rules (#3157) (#3158)

* Add functional categories to Java cryptographic rules

* Add library tags to Java crypto rule functional categories

Co-authored-by: Pieter De Cremer (Semgrep) <pieter@r2c.dev>

java/lang/security/audit/crypto/des-is-deprecated.yaml

@@ -6,6 +6,8 @@ rules:
     See https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard
     for more information.
   metadata:
+    functional-categories:
+      - 'crypto::search::symmetric-algorithm::javax.crypto'
     cwe:
     - 'CWE-326: Inadequate Encryption Strength'
     owasp:

java/lang/security/audit/crypto/desede-is-deprecated.yaml

@@ -4,6 +4,8 @@ rules:
     Triple DES (3DES or DESede) is considered deprecated. AES is the recommended cipher.
     Upgrade to use AES.
   metadata:
+    functional-categories:
+      - 'crypto::search::symmetric-algorithm::javax.crypto'
     cwe:
     - 'CWE-326: Inadequate Encryption Strength'
     owasp:

java/lang/security/audit/crypto/ecb-cipher.yaml

@@ -1,6 +1,8 @@
 rules:
 - id: ecb-cipher
   metadata:
+    functional-categories:
+      - 'crypto::search::mode::javax.crypto'
     cwe:
     - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm'
     owasp:

java/lang/security/audit/crypto/gcm-detection.yaml

@@ -2,6 +2,8 @@ rules:
 - id: gcm-detection
   metadata:
     category: security
+    functional-categories:
+      - 'crypto::search::randomness::javax.crypto'
     cwe:
     - 'CWE-323: Reusing a Nonce, Key Pair in Encryption'
     references:

java/lang/security/audit/crypto/gcm-nonce-reuse.yaml

@@ -1,6 +1,8 @@
 rules:
 - id: gcm-nonce-reuse
   metadata:
+    functional-categories:
+      - 'crypto::search::randomness::javax.crypto'
     cwe:
     - 'CWE-323: Reusing a Nonce, Key Pair in Encryption'
     category: security

java/lang/security/audit/crypto/rsa-no-padding.yaml

@@ -1,6 +1,8 @@
 rules:
 - id: rsa-no-padding
   metadata:
+    functional-categories:
+      - 'crypto::search::mode::javax.crypto'
     cwe:
     - 'CWE-326: Inadequate Encryption Strength'
     owasp:

java/lang/security/audit/crypto/unencrypted-socket.yaml

@@ -1,6 +1,8 @@
 rules:
 - id: unencrypted-socket
   metadata:
+    functional-categories:
+      - 'net::search::crypto-config::java.net'
     cwe:
     - 'CWE-319: Cleartext Transmission of Sensitive Information'
     owasp:

java/lang/security/audit/crypto/use-of-aes-ecb.yaml

@@ -2,6 +2,8 @@ rules:
 - id: use-of-aes-ecb
   pattern: $CIPHER.getInstance("=~/AES/ECB.*/") 
   metadata:
+    functional-categories:
+      - 'crypto::search::mode::javax.crypto'
     cwe:
     - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm'
     owasp:

java/lang/security/audit/crypto/use-of-blowfish.yaml

@@ -2,6 +2,8 @@ rules:
 - id: use-of-blowfish
   pattern: $CIPHER.getInstance("Blowfish") 
   metadata:
+    functional-categories:
+      - 'crypto::search::symmetric-algorithm::javax.crypto'
     cwe:
     - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm'
     owasp:

java/lang/security/audit/crypto/use-of-default-aes.yaml

@@ -32,6 +32,8 @@ rules:
               - pattern: Cipher.getInstance("AES")
               - pattern: (Cipher $CIPHER).getInstance("AES")
     metadata:
+      functional-categories:
+        - 'crypto::search::mode::javax.crypto'
       cwe:
         - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
       owasp:

java/lang/security/audit/crypto/use-of-md5-digest-utils.yaml

@@ -7,6 +7,8 @@ rules:
     languages: [java]
     severity: WARNING
     metadata:
+      functional-categories:
+        - 'crypto::search::hash-algorithm::org.apache.commons'
       owasp:
       - A03:2017 - Sensitive Data Exposure
       - A02:2021 - Cryptographic Failures

java/lang/security/audit/crypto/use-of-md5.yaml

@@ -7,6 +7,8 @@ rules:
   languages: [java]
   severity: WARNING
   metadata:
+    functional-categories:
+      - 'crypto::search::hash-algorithm::java.security'
     owasp:
     - A03:2017 - Sensitive Data Exposure
     - A02:2021 - Cryptographic Failures

java/lang/security/audit/crypto/use-of-rc2.yaml

@@ -2,6 +2,8 @@ rules:
 - id: use-of-rc2
   pattern: $CIPHER.getInstance("RC2") 
   metadata:
+    functional-categories:
+      - 'crypto::search::symmetric-algorithm::javax.crypto'
     cwe:
     - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm'
     owasp:

java/lang/security/audit/crypto/use-of-rc4.yaml

@@ -2,6 +2,8 @@ rules:
 - id: use-of-rc4 
   pattern: $CIPHER.getInstance("RC4") 
   metadata:
+    functional-categories:
+      - 'crypto::search::symmetric-algorithm::javax.crypto'
     cwe:
     - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm'
     owasp:

java/lang/security/audit/crypto/use-of-sha1.yaml

@@ -8,6 +8,8 @@ rules:
   languages: [java]
   severity: WARNING
   metadata:
+    functional-categories:
+      - 'crypto::search::hash-algorithm::javax.crypto'
     owasp:
     - A03:2017 - Sensitive Data Exposure
     - A02:2021 - Cryptographic Failures

java/lang/security/audit/crypto/weak-random.yaml

@@ -7,6 +7,8 @@ rules:
   languages: [java]
   severity: WARNING
   metadata:
+    functional-categories:
+      - 'crypto::search::randomness::java.security'
     owasp:
     - A02:2021 - Cryptographic Failures
     cwe:

java/lang/security/audit/crypto/weak-rsa.yaml

@@ -4,6 +4,8 @@ rules:
   languages: [java]
   severity: WARNING
   metadata:
+    functional-categories:
+      - 'crypto::search::key-length::java.security'
     cwe:
     - 'CWE-326: Inadequate Encryption Strength'
     owasp: