Lower confidence for gcm-detection audit rule

[p4p3r]

This rule is an audit rule and reporting findings that are supposed to manually reviewed to exclude IV reuse.

[linear]

RULES-5417 gcm-detection false positive

A customer reported a potential false positive. I'm unable to determine the validity.

The finding is here.

Here is the rule:

rules:
  - id: gcm-detection
    metadata:
      category: security
      cwe:
        - "CWE-323: Reusing a Nonce, Key Pair in Encryption"
      references:
        - https://cwe.mitre.org/data/definitions/323.html
      technology:
        - java
      owasp:
        - A02:2021 - Cryptographic Failures
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: HIGH
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cryptographic Issues
    languages:
      - java
    message: GCM detected, please check that IV/nonce is not reused, an
      Initialization Vector (IV) is a nonce used to randomize the encryption, so
      that even if multiple messages with identical plaintext are encrypted, the
      generated corresponding ciphertexts are different. Unlike the Key, the IV
      usually does not need to be secret, rather it is important that it is
      random and unique. Certain encryption schemes the IV is exchanged in
      public as part of the ciphertext. Reusing same Initialization Vector with
      the same Key to encrypt multiple plaintext blocks allows an attacker to
      compare the ciphertexts and then, with some assumptions on the content of
      the messages, to gain important information about the data being
      encrypted.
    patterns:
      - pattern-either:
          - pattern: $METHOD.getInstance("AES/GCM/NoPadding",...);
          - pattern: new GCMParameterSpec(...);
    severity: INFO

Here is the code snippet:

AESCipher.java