Website build build-and-publish-website/master-69
diff --git a/documentation/codeanalysis/index.html b/documentation/codeanalysis/index.html
index 4800cb9..f7976ef 100644
--- a/documentation/codeanalysis/index.html
+++ b/documentation/codeanalysis/index.html
@@ -10,11 +10,11 @@
<title>Static Code Analysis | CogniCrypt</title>
<meta property="og:title" content="Static Code Analysis | CogniCrypt" />
<meta name="twitter:title" content="Static Code Analysis | CogniCrypt" />
-<meta name="description" content="CogniCrypt’s static analysis automatically runs on the code within Eclipse. The static analysis is based on CrySL rules that specify the correct use of an application programming interface (API). CrySL is a domain-specific language that allows to specify usage patterns of APIs. The static analysis reports any deviations from the usage pattern defined within the rules.
+<meta name="description" content="CogniCrypt’s static analysis CogniCryptSAST automatically runs on the code within Eclipse. The static analysis is based on CrySL rules that specify the correct use of an application programming interface (API). CrySL is a domain-specific language that allows to specify usage patterns of APIs. The static analysis reports any deviations from the usage pattern defined within the rules.
While the CrySL rules are adjustable, a user of CogniCrypt is not expected to change the rules of CogniCrypt.">
-<meta property="og:description" content="CogniCrypt’s static analysis automatically runs on the code within Eclipse. The static analysis is based on CrySL rules that specify the correct use of an application programming interface (API). CrySL is a domain-specific language that allows to specify usage patterns of APIs. The static analysis reports any deviations from the usage pattern defined within the rules.
+<meta property="og:description" content="CogniCrypt’s static analysis CogniCryptSAST automatically runs on the code within Eclipse. The static analysis is based on CrySL rules that specify the correct use of an application programming interface (API). CrySL is a domain-specific language that allows to specify usage patterns of APIs. The static analysis reports any deviations from the usage pattern defined within the rules.
While the CrySL rules are adjustable, a user of CogniCrypt is not expected to change the rules of CogniCrypt.">
-<meta name="twitter:description" content="CogniCrypt’s static analysis automatically runs on the code within Eclipse. The static analysis is based on CrySL rules that specify the correct use of an application programming interface …">
+<meta name="twitter:description" content="CogniCrypt’s static analysis CogniCryptSAST automatically runs on the code within Eclipse. The static analysis is based on CrySL rules that specify the correct use of an application programming …">
<meta name="author" content="Eclipse Foundation"/>
<link href='https://www.eclipse.org/cognicrypt/favicon.ico' rel='icon' type='image/x-icon'/>
<meta name="twitter:card" content="summary" />
@@ -233,7 +233,7 @@
<div class="col-md-10">
-<p>CogniCrypt’s static analysis automatically runs on the code within Eclipse. The static analysis is based on <code>CrySL rules</code> that specify the <em>correct</em> use of an application programming interface (API). <code>CrySL</code> is a domain-specific language that allows to specify usage patterns of APIs. The static analysis reports any deviations from the usage pattern defined within the rules.</p>
+<p>CogniCrypt’s static analysis CogniCrypt<sub>SAST</sub> automatically runs on the code within Eclipse. The static analysis is based on <code>CrySL rules</code> that specify the <em>correct</em> use of an application programming interface (API). <code>CrySL</code> is a domain-specific language that allows to specify usage patterns of APIs. The static analysis reports any deviations from the usage pattern defined within the rules.</p>
<p>While the <code>CrySL</code> rules are adjustable, a user of CogniCrypt is not expected to change the rules of CogniCrypt.</p>
diff --git a/documentation/codegen/images/Locator.png b/documentation/codegen/images/Locator.png
new file mode 100644
index 0000000..902adb1
--- /dev/null
+++ b/documentation/codegen/images/Locator.png
Binary files differ
diff --git a/documentation/codegen/images/Responses.png b/documentation/codegen/images/Responses.png
new file mode 100644
index 0000000..277dd9a
--- /dev/null
+++ b/documentation/codegen/images/Responses.png
Binary files differ
diff --git a/documentation/codegen/images/TaskSelection.png b/documentation/codegen/images/TaskSelection.png
new file mode 100644
index 0000000..1d83136
--- /dev/null
+++ b/documentation/codegen/images/TaskSelection.png
Binary files differ
diff --git a/documentation/codegen/index.html b/documentation/codegen/index.html
index 013b543..5f6db1d 100644
--- a/documentation/codegen/index.html
+++ b/documentation/codegen/index.html
@@ -10,10 +10,8 @@
<title>Code Generation | CogniCrypt</title>
<meta property="og:title" content="Code Generation | CogniCrypt" />
<meta name="twitter:title" content="Code Generation | CogniCrypt" />
-<meta name="description" content="* { margin: 0; padding: 0; } .imgbox { display: grid; height: 100%; } .center-fit { max-width: 100%; max-height: 100vh; margin: auto; } This tutorial page describes how one would use CogniCrypt’s code-generation feature. For a more technical description of how the code generation works in the background, please refer to Tool Paper on CogniCrypt published at ASE 2017.
-Launching the Code Generator CogniCrypt’s code generator can most easily be triggered by clicking the CogniCrypt button in the Eclipse tool bar.">
-<meta property="og:description" content="* { margin: 0; padding: 0; } .imgbox { display: grid; height: 100%; } .center-fit { max-width: 100%; max-height: 100vh; margin: auto; } This tutorial page describes how one would use CogniCrypt’s code-generation feature. For a more technical description of how the code generation works in the background, please refer to Tool Paper on CogniCrypt published at ASE 2017.
-Launching the Code Generator CogniCrypt’s code generator can most easily be triggered by clicking the CogniCrypt button in the Eclipse tool bar.">
+<meta name="description" content="* { margin: 0; padding: 0; } .imgbox { display: grid; height: 100%; } .center-fit { max-width: 100%; max-height: 100vh; margin: auto; } This tutorial page describes how one would use CogniCrypt’s code-generation feature CogniCryptGEN. For a more technical description of how the code generation works in the background, please refer to the accompanying research paper published at CGO 2020 or tool Paper on CogniCrypt published at ASE 2017.">
+<meta property="og:description" content="* { margin: 0; padding: 0; } .imgbox { display: grid; height: 100%; } .center-fit { max-width: 100%; max-height: 100vh; margin: auto; } This tutorial page describes how one would use CogniCrypt’s code-generation feature CogniCryptGEN. For a more technical description of how the code generation works in the background, please refer to the accompanying research paper published at CGO 2020 or tool Paper on CogniCrypt published at ASE 2017.">
<meta name="twitter:description" content="* { margin: 0; padding: 0; } .imgbox { display: grid; height: 100%; } .center-fit { max-width: 100%; max-height: 100vh; margin: auto; } This tutorial page describes how one would use …">
<meta name="author" content="Eclipse Foundation"/>
<link href='https://www.eclipse.org/cognicrypt/favicon.ico' rel='icon' type='image/x-icon'/>
@@ -249,11 +247,11 @@
}
</style>
-<p>This tutorial page describes how one would use CogniCrypt’s code-generation feature. For a more technical description of how the code generation works in the background, please refer to <a href="http://bodden.de/pubs/knr+17cognicrypt.pdf">Tool Paper on CogniCrypt</a> published at ASE 2017.</p>
+<p>This tutorial page describes how one would use CogniCrypt’s code-generation feature CogniCrypt<sub>GEN</sub>. For a more technical description of how the code generation works in the background, please refer to the accompanying <a href="https://karimali.ca/resources/papers/ccgen.pdf">research paper</a> published at CGO 2020 or <a href="http://bodden.de/pubs/knr+17cognicrypt.pdf">tool Paper on CogniCrypt</a> published at ASE 2017.</p>
-<h1 id="launching-the-code-generator">Launching the Code Generator</h1>
+<h1 id="launching-the-cognicrypt-sub-gen-sub">Launching the CogniCrypt<sub>GEN</sub></h1>
-<p>CogniCrypt’s code generator can most easily be triggered by clicking the CogniCrypt button in the Eclipse tool bar. In this case, CogniCrypt applies a number of heuristics to determine which project the code should be generated into. First and foremost, if a Java file is opened in the editor when the button is being clicked, CogniCrypt selects its project for code generation. Another way of triggering the code generator is through opening the context menu on the respective project and select the entry “Launch CogniCrypt” as displayed in the screenshot below.
+<p>CogniCrypt<sub>GEN</sub> can most easily be triggered by clicking the CogniCrypt<sub>GEN</sub> button in the Eclipse tool bar. Another way of triggering the code generator is through opening the context menu on the respective project and select the entry “Launch CogniCrypt” as displayed in the screenshot below.
<div class="imgbox">
<img class="center-fit" src='https://raw.githubusercontent.com/CROSSINGTUD/CogniCrypt/master/documentation/Images%20for%20Tutorial/02Context.png' alt="CogniCrypt Context Menu">
</div></p>
@@ -262,65 +260,42 @@
<p>When CogniCrypt launches, the following window pops up:
<div class="imgbox">
- <img class="center-fit" src='https://raw.githubusercontent.com/CROSSINGTUD/CogniCrypt/master/documentation/Images%20for%20Tutorial/03MainMenu.png' alt="CogniCrypt Main Menu">
+ <img class="center-fit" src='./images/TaskSelection.png' alt="CogniCrypt Main Menu">
</div></p>
-<p>Here, the user first has to select in the upper dropdown menu which project it wants CogniCrypt to generate the code into. The dropdown menu is populated with all Java projects in the workspace. If CogniCrypt was launched by means of the context menu, it auto-selects the respective project. Otherwise, CogniCrypt runs the heuristics sketched above. The second dropdown menu allows the user to select a cryptographic programming task. Currently, seven tasks are supported. The text box, below the second dropdown, shows a brief description of the task that is selected from the dropdown. Once the user has selected both a project and a task they can continue.</p>
+<p>Here, the user has to select a cryptographic programming task by means of the icon buttons in the column on the left. Currently, five tasks are supported. The text box on the right shows a brief description of the task that is selecte. Once the user has selected a task they can continue.</p>
<h1 id="configuring-a-solution">Configuring a Solution</h1>
-<p>For each task, CogniCrypt asks the user a number of questions. These questions help CogniCrypt configure the solution it provides the user with in the end. For the task “Encrypt Data Using a Secret Key”(hereafter referred to as Encryption Task), CogniCrypt needs the user to answer the questions shown in the following screenshots:</p>
+<p>For each task, CogniCrypt asks the user a number of questions. These questions help CogniCrypt configure the solution it provides the user with in the end. For the task “Encrypt Data”(hereafter referred to as Encryption Task), CogniCrypt needs the user to answer the questions shown in the following screenshots:</p>
<div class="imgbox">
- <img class="center-fit" src='https://raw.githubusercontent.com/CROSSINGTUD/CogniCrypt/master/documentation/Images%20for%20Tutorial/04Questions.png' alt="Questions for Encryption Task">
+ <img class="center-fit" src='./images/Responses.png' alt="Questions for Encryption Task">
</div>
-<div class="imgbox">
- <img class="center-fit" src='https://raw.githubusercontent.com/CROSSINGTUD/CogniCrypt/master/documentation/Images%20for%20Tutorial/04Questions1.png' alt="Questions for Encryption Task">
-</div>
+<p>The first question relates to the key-transfer method the answer to which determines if CogniCrypt<sub>GEN</sub> generates code for hybrid or a password-based symmetric encryption. Question 2 allows the user to specify an input type for the encryption. The default data type are byte arrays. Should the user pick any other type, the generated code takes care of the type conversion for the user.</p>
-<p>The first question relates to the required security level as stronger security often impedes the performance of a given solution. Question 2 allows for an easier key generation by giving the user of the generated solution the opportunity to provide a password from which the key is derived. If ‘no’ is selected, CogniCrypt generates code that employs the regular key generation mechanism of the JCA. If ‘yes’ is selected, then handling the key should be taken care of by the user himself. The consequence of selecting an answer is specified in the form of “Note”, below the question. The third question, which appears in the next page, asks if the user has to encrypt large data regularly. The final question allows CogniCrypt’s user to specify an input type for the encryption. The default data type are byte arrays. Should the user pick any other type, the generated code takes care of the type conversion for the user.</p>
+<h1 id="selecting-a-location">Selecting a Location</h1>
-<h1 id="selecting-a-solution">Selecting a Solution</h1>
-
-<p>When the user has answered all questions, CogniCrypt configures a number of solutions for them. But, the most secure solution is provided to the user as a default solution, as shown in the screenshot below. The preview of the code that will be newly generated is also shown in the same page. If the user has a Java file open, then the code gets generated into the same file. So, the preview also shows the newly generated method inside the user’s Java file. If a file is not open then the preview of the new class, that gets created, is shown in the preview. If the user wants to view more algorithm combinations matching his requirements, then the check box below the code preview should be checked and the user can click “Next”. If not, the user can click “Finish” to generate the code in his Java project.</p>
+<p>When the user has answered all questions, CogniCrypt<sub>GEN</sub> shows one final window. In this window, the user has to select a location for where the CogniCrypt<sub>GEN</sub> should generate code. The window is depicted in the screenshot below.</p>
<div class="imgbox">
- <img class="center-fit" src='https://raw.githubusercontent.com/CROSSINGTUD/CogniCrypt/master/documentation/Images%20for%20Tutorial/05ConfigurationSelection.png' alt="Final Screen for Solution Selection">
-</div>
-
-<p>If the user chooses to view other solutions, then a page, as shown in the screenshot below, appears on clicking “Next”. These algorithm combinations and their variations are ordered by security in descending order, but they are all secure and also fulfill the constraints the user has specified through their answers on the previous page(s). Thus, the user may pick any of the proposed solutions by selecting it in the dropdown menu. CogniCrypt auto-selects the most secure solution (the one which is shown in the previous page) by default. When the user has chosen an algorithm combination from the dropdown, he can view its variations(if any) with the help of “<” and “>” buttons. The properties of the chosen variation is shown in the “Instance Details” panel. They can select a variation of the algorithm combination and hit “Finish”, which prompts CogniCrypt to generate the solution under the chosen configuration into the user’s project.</p>
-
-<div class="imgbox">
- <img class="center-fit" src='https://raw.githubusercontent.com/CROSSINGTUD/CogniCrypt/master/documentation/Images%20for%20Tutorial/05ConfigurationSelection-Alternatives.png' alt="Final Screen for Solution Selection">
-</div>
-
-<p>Additionally, the user can also view the preview of the code for the selected solution, by clicking the button in the same page. This opens a new dialog,as in below screenshot, which presents a comparison between the user’s file, before and after the code generation. If no file is open in the users end, then a comparison between an empty file and the newly created class file is shown. The dialog shows the code comparison in the same way as that of the “Compare Editor”
-of eclipse.</p>
-
-<div class="imgbox">
- <img class="center-fit" src='https://raw.githubusercontent.com/CROSSINGTUD/CogniCrypt/master/documentation/Images%20for%20Tutorial/05ConfigurationSelection-CodeComparison.png' alt="Final Screen for Solution Selection">
-</div>
-
-<p>Further, there is also a new wizard that opens on clicking “Compare Algorithms” button. This allows the user to compare two algorithms of his choice. This wizard has two combo boxes and two corresponding panels to display the properties of the chosen algorithms. Initially, both the combo boxes have the first element selected by default. Since the elements in the combo boxes are same, their properties will also be identical. If two different algorithm combinations are selected for comparison, then the properties that differ in their values will be highlighted.</p>
-
-<div class="imgbox">
- <img class="center-fit" src='https://raw.githubusercontent.com/CROSSINGTUD/CogniCrypt/master/documentation/Images%20for%20Tutorial/05ConfigurationSelection-AlgorithmComparison.png' alt="Final Screen for Solution Selection">
+ <img class="center-fit" src='./images/Locator.png' alt="File Selection">
</div>
<h1 id="integrating-the-solution-into-the-application">Integrating the Solution into the Application</h1>
-<p>For the each task, CogniCrypt generates two code artefacts. First, there is the actual implementation. It is always generated into a package called “Crypto”. The encryption task is rather simple and merely comprises of one class as shown below. Other tasks might be more compley and require more code, though.
+<p>For the each task, CogniCrypt<sub>GEN</sub> generates two code artefacts. First, there is the actual implementation. It is always generated into a package called “de.cognicrypt.crypto”. The encryption task is rather simple and merely comprises of one class as shown below. Other tasks might be more complex and require more code, though.
<div class="imgbox">
<img class="center-fit" src='https://raw.githubusercontent.com/CROSSINGTUD/CogniCrypt/master/documentation/Images%20for%20Tutorial/07Encryption.png' alt="Actual Implementation of Encryption Task">
</div></p>
-<p>The second artefact is a glue-code method called “templateUsage” showcasing to the developer how to properly use the implementation in their application. If, at the time of launching CogniCrypt, there is a Java file open in the Eclipse Editor that also belongs to the project the user selects on CogniCrypt’s first screen, CogniCrypt generates the method into this class assuming that it is the right context for it. Is either of those two conditions not met, i.e., either no Java is opened or the file’s project does not match the selected project, CogniCrypt generates the method into a class Output, also under the “Crypto” package.
+<p>The second artefact is a glue-code method called “templateUsage()” showcasing to the developer how to properly use the implementation in their application. If the user selected a Java source file in the previous screen, CogniCrypt generates the method into this class. If not, CogniCrypt generates the method into a class Output.java, also under the “de.cognicrypt.crypto” package.
<div class="imgbox">
<img class="center-fit" src='https://raw.githubusercontent.com/CROSSINGTUD/CogniCrypt/master/documentation/Images%20for%20Tutorial/06TemplateUsage.png' alt="Sample Method showcasing usage of Wrapper Code">
</div></p>
-<p>Finally, to integrate the generated code into their application, the user may choose to simply call the “templateUsage” method or copy-paste the statements from the method they need in their code to the right place. By means of its <a href="../code-analysis">Code analysis</a>, CogniCrypt will ensure its user does not break the security during integration.</p>
+<p>Finally, to integrate the generated code into their application, the user may choose to simply call the “templateUsage()” method or copy-paste the statements from the method they need in their code to the right place. By means of its <a href="../code-analysis">CogniCrypt<sub>SAST</sub></a>, CogniCrypt will ensure its user does not break the security during integration.</p>
</div>
</div>
diff --git a/documentation/crysl/index.html b/documentation/crysl/index.html
index ee1a6f1..494baf0 100644
--- a/documentation/crysl/index.html
+++ b/documentation/crysl/index.html
@@ -10,9 +10,9 @@
<title>The CrySL Language | CogniCrypt</title>
<meta property="og:title" content="The CrySL Language | CogniCrypt" />
<meta name="twitter:title" content="The CrySL Language | CogniCrypt" />
-<meta name="description" content="Thanks to Theofilos Petsios from Amazon Web Services for providing a definition file for syntax highlighting for CrySL in VIM. You can download the definitions here. The static analysis is based on CrySL rules that specify the correct use of an application programming interface (API). CrySL is a domain-specific language that allows to specify usage patterns of APIs. The static analysis reports any deviations from the usage pattern defined within the rules.">
-<meta property="og:description" content="Thanks to Theofilos Petsios from Amazon Web Services for providing a definition file for syntax highlighting for CrySL in VIM. You can download the definitions here. The static analysis is based on CrySL rules that specify the correct use of an application programming interface (API). CrySL is a domain-specific language that allows to specify usage patterns of APIs. The static analysis reports any deviations from the usage pattern defined within the rules.">
-<meta name="twitter:description" content="Thanks to Theofilos Petsios from Amazon Web Services for providing a definition file for syntax highlighting for CrySL in VIM. You can download the definitions here. The static analysis is based on …">
+<meta name="description" content="Thanks to Theofilos Petsios from Amazon Web Services for providing a definition file for syntax highlighting for CrySL in VIM. You can download the definitions here. Both CogniCryptGEN and CogniCryptSAST are based on CrySL rules that specify the correct use of an application programming interface (API). CrySL is a domain-specific language that allows to specify usage patterns of APIs. CogniCryptGEN generates code using the rules, CogniCryptSAST in turn reports any deviations from the usage pattern defined within the rules.">
+<meta property="og:description" content="Thanks to Theofilos Petsios from Amazon Web Services for providing a definition file for syntax highlighting for CrySL in VIM. You can download the definitions here. Both CogniCryptGEN and CogniCryptSAST are based on CrySL rules that specify the correct use of an application programming interface (API). CrySL is a domain-specific language that allows to specify usage patterns of APIs. CogniCryptGEN generates code using the rules, CogniCryptSAST in turn reports any deviations from the usage pattern defined within the rules.">
+<meta name="twitter:description" content="Thanks to Theofilos Petsios from Amazon Web Services for providing a definition file for syntax highlighting for CrySL in VIM. You can download the definitions here. Both CogniCryptGEN and …">
<meta name="author" content="Eclipse Foundation"/>
<link href='https://www.eclipse.org/cognicrypt/favicon.ico' rel='icon' type='image/x-icon'/>
<meta name="twitter:card" content="summary" />
@@ -237,11 +237,11 @@
</div>
-<p>The <a href="/cognicrypt/documentation/codeanalysis">static analysis</a> is based on <em>CrySL rules</em> that specify the <em>correct</em> use of an application programming interface (API). <em>CrySL</em> is a domain-specific language that allows to specify usage patterns of APIs. The static analysis reports any deviations from the usage pattern defined within the rules.</p>
+<p>Both <a href="/cognicrypt/documentation/codegen">CogniCrypt<sub>GEN</sub></a> and <a href="/cognicrypt/documentation/codeanalysis">CogniCrypt<sub>SAST</sub></a> are based on <em>CrySL rules</em> that specify the <em>correct</em> use of an application programming interface (API). <em>CrySL</em> is a domain-specific language that allows to specify usage patterns of APIs. CogniCrypt<sub>GEN</sub> generates code using the rules, CogniCrypt<sub>SAST</sub> in turn reports any deviations from the usage pattern defined within the rules.</p>
<h2 id="syntax-of-the-domain-specific-language-crysl">Syntax of the Domain-Specific Language CrySL</h2>
-<p>CogniCrypt’s error markers are generated based on violations of <em>rules</em>. Rules in CogniCrypt are written in <em>CrySL</em>. <em>CrySL</em> is a domain-specific language for the specification of correct cryptograhy API uses in Java. The Eclipse plugin CogniCrypt ships with an XText editor that supports the <em>CrySL</em> syntax. <em>CrySL</em> generally encodes a white-list approach and specifies how to <em>correctly</em> use crypto APIs. We discuss some of the most important concepts of the rule language here, the <a href="http://drops.dagstuhl.de/opus/volltexte/2018/9215/pdf/LIPIcs-ECOOP-2018-10.pdf">research paper</a> provides more detailed insides on the language. CogniCrypt ships with a default rule set for the <a href="https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html">Java Cryptographic Architecture (JCA)</a>. At the bottom of this page, you may find a description of this rule set.</p>
+<p>Rules in CogniCrypt are written in <em>CrySL</em>. <em>CrySL</em> is a domain-specific language for the specification of correct cryptography API uses in Java. The Eclipse plugin CogniCrypt ships with an XText editor that supports the <em>CrySL</em> syntax. <em>CrySL</em> generally encodes a white-list approach and specifies how to <em>correctly</em> use crypto APIs. We discuss some of the most important concepts of the rule language here, the <a href="http://drops.dagstuhl.de/opus/volltexte/2018/9215/pdf/LIPIcs-ECOOP-2018-10.pdf">research paper</a> provides more detailed insights on the language. CogniCrypt ships with a default rule set for the <a href="https://docs.oracle.com/en/java/javase/14/security/java-cryptography-architecture-jca-reference-guide.html">Java Cryptographic Architecture (JCA)</a>. At the bottom of this page, you may find a description of this rule set. On top of this rule set, rule sets for <a href="https://www.bouncycastle.org/documentation.html">BouncyCastle</a>, both for its lightweight API as well as JCA provider, and <a href="https://github.com/google/tink">Google Tink</a> are available for download from within the CogniCrypt preferences. Custom rules may also be added.</p>
<p>Each <em>CrySL</em> rule is a specification of a single Java class. A short example of a <em>CrySL</em> rule for <code>javax.crypto.Cipher</code> is shown below.</p>
@@ -259,8 +259,8 @@
Get, Init, (doFinal)+
CONSTRAINTS
encmode in {1,2,3,4};
- part(0, "/", trans) in {"AES", "Blowfish", "DESede", ..., "RSA"};
- part(0, "/", trans) in {"AES"} => part(1, "/", trans) in {"CBC"};
+ alg(trans) in {"AES", ..., "RSA"};
+ alg(trans) in {"AES"} => mode(trans) in {"CBC"};
REQUIRES
generatedKey[key, part(0, "/", trans)];
ENSURES
@@ -273,7 +273,7 @@
<h3 id="the-constraints-section">The CONSTRAINTS section</h3>
-<p>The <code>Cipher</code> rule lists <code>encmode in {1,2,3,4};</code> within its <code>CONSTRAINTS</code> block. The value <code>encmode</code> that is passed to method <code>init(encmode, cert)</code> is restricted to be one of the four integers. In other terms, whenever the function <code>init</code> is called, the value passed in as first parameter must be in the respective set. The constraint <code>part(0, "/", trans) in {"AES", "Blowfish", "DESede", ..., "RSA"}</code> refers to the fact that at the call to <code>Cipher.getInstance(trans)</code> the <code>String trans</code> must be correctly formed. The function <code>part(0, "/", trans)</code> splits the <code>String</code> at the character <code>"/"</code> and returns the first part. Hence the constraint restricts the first part prior of any <code>"/"</code> to be either <code>"AES"</code> or <code>"RSA"</code>. The third constraint (<code>part(0, "/", trans) in {"AES"} => part(1, "/", trans) in {"CBC"};</code>) is a conditional constraint: If the first part of <code>trans</code> is <code>"AES"</code>, then the second part of <code>trans</code> must be <code>"CBC"</code>. For example, this conditional rule warns a developer writing <code>Cipher.getInstance("AES/ECB/PKCS5Padding")</code> instead of <code>Cipher.getInstance("AES/CBC/PKCS5Padding")</code>.</p>
+<p>The <code>Cipher</code> rule lists <code>encmode in {1,2,3,4};</code> within its <code>CONSTRAINTS</code> block. The value <code>encmode</code> that is passed to method <code>init(encmode, cert)</code> is restricted to be one of the four integers. In other terms, whenever the function <code>init</code> is called, the value passed in as first parameter must be in the respective set. The constraint <code>alg(trans) in {"AES", ..., "RSA"}</code> refers to the fact that at the call to <code>Cipher.getInstance(trans)</code> the <code>String trans</code> must be correctly formed. Hence the constraint restricts the algorithm to be either <code>"AES"</code> or <code>"RSA"</code> through the <code>alg</code> function. The third constraint (<code>alg(trans) in {"AES"} => mode(trans) in {"CBC"};</code>) is a conditional constraint: If the algorithm of <code>trans</code> is <code>"AES"</code>, then the mode of <code>trans</code> must be <code>"CBC"</code>. For example, this conditional rule warns a developer writing <code>Cipher.getInstance("AES/ECB/PKCS5Padding")</code> instead of <code>Cipher.getInstance("AES/CBC/PKCS5Padding")</code>.</p>
<h3 id="the-order-section">The ORDER section</h3>
@@ -308,11 +308,11 @@
<p>Above is an excerpt of the rule for <code>SecretKeySpec</code>. The predicate <code>generatedKey</code> is listed within the <code>ENSURES</code> block of this rule. The static analysis labels any object of type <code>SecretKeySpec</code> by <code>generatedKey</code> when the analysis finds the object to be used correctly (with respect to its <em>CrySL</em> rule).</p>
-<h2 id="addition-or-modification-of-crysl-rules">Addition or Modification of CrySL Rules</h2>
+<h2 id="on-the-fly-addition-or-modification-of-crysl-rules">On-the-fly Addition or Modification of CrySL Rules</h2>
-<p>All <em>CrySL</em> rules currently used by CogniCrypt are present in the repository named <a href="https://github.com/CROSSINGTUD/Crypto-API-Rules">Crypto-API-Rules</a>. As of June 2019, it contains three project, one each for the APIs of Java Cryptography Architecture, Google Tink, and BouncyCastle through its lightweight API. You need to clone the corresponding project and import it as a maven project into Eclipse where you have already installed CogniCrypt and the <em>CrySL</em> plugins. These plugins let you update the <em>CrySL</em> rules on the fly. You can edit them or even add new rules. CogniCrypt automatically parses these rules and takes them into account in any future analyses.</p>
+<p>All <em>CrySL</em> rules currently used by CogniCrypt are present in the repository named <a href="https://github.com/CROSSINGTUD/Crypto-API-Rules">Crypto-API-Rules</a>. As of April 2020, it contains rules for the four APIs mentioned above. You need to clone the corresponding project and import it as a Maven project into Eclipse where you have already installed CogniCrypt and the <em>CrySL</em> plugins. These plugins let you update the <em>CrySL</em> rules on the fly. You can edit them or even add new rules. CogniCrypt automatically parses these rules and may take them into account in any future analyses and code generations. You need to enable this feature in the CogniCrypt preferences first, though.</p>
-<p>The below tutorial describes how to modify <em>CrySL</em> rules on the fly. The first screenshot shows an example code which uses <code>KeyGenerator</code> that is created with correct algorithm, namely “AES”, and later initialized with a proper keySize i.e. 128. Hence the plugin doesn’t show any error markers.</p>
+<p>The below tutorial describes how to modify <em>CrySL</em> rules on the fly. The first screenshot shows an example code which uses <code>KeyGenerator</code> that is created with correct algorithm, namely “AES”, and later initialized with a proper keySize i.e. 128. Hence, the plugin doesn’t show any error markers.</p>
<div class="imgbox">
<img class="center-fit" src='./images/correctcode.png' alt="An example code without any misuse">
@@ -373,10 +373,6 @@
Randomness is vital in all aspects of cryptography. Java offers cryptographically secure pseudo-random number generators through <code>SecureRandom</code>. As discussed for <code>PBEKeySpec</code>, <code>SecureRandom</code> often acts as a helper and therefore many rules list the <code>randomized</code> predicate in their own <code>REQUIRES</code> section.</li>
</ul>
-<h2 id="cryptographic-service-providers">Cryptographic Service Providers</h2>
-
-<p>The JCA is employing a provider architecture. This means that the implementation of the above cryptographic services are supplied by various providers. Apart from the default providers that come bundled with JDK, there also custom providers not provided by Oracle. Any program can get implementations either from one of installed providers or from a specific provider by referring to its name. Hence <em>CrySL</em> rules are being developed for third party providers like Bouncy Castle in order to extend the capabilities of Cognicrypt.</p>
-
<h2 id="crysl-rules-for-the-bouncy-castle">CrySL Rules for the Bouncy Castle</h2>
<p>The below rule set covers the specifications of most classes in the <a href="https://github.com/bcgit/bc-java/tree/master/core/src/main/java/org/bouncycastle/crypto">Bouncy Castle (BC)</a>. In the following, we describe all the services with their respective classes and briefly summarize important usage constraints. All mentioned classes are defined in the lightweight crypto packages <code>org.bouncycastle.crypto.*</code> of the BC.</p>
