mcp-server-semgrep/semgrep-rules/java/java-jwt/security/jwt-none-alg.yaml

MCP Server for Semgrep Integration - static code analysis with AI

rules:
- id: java-jwt-none-alg
  message: >-
    Detected use of the 'none' algorithm in a JWT token.
    The 'none' algorithm assumes the integrity of the token has already
    been verified. This would allow a malicious actor to forge a JWT token
    that will automatically be verified. Do not explicitly use the 'none'
    algorithm. Instead, use an algorithm such as 'HS256'.
  metadata:
    cwe:
    - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm'
    owasp:
    - A03:2017 - Sensitive Data Exposure
    - A02:2021 - Cryptographic Failures
    source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/
    category: security
    technology:
    - jwt
    confidence: HIGH
    references:
    - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
    subcategory:
    - vuln
    likelihood: HIGH
    impact: MEDIUM
  languages: [java]
  severity: ERROR
  pattern-either:
  - pattern: |
      $JWT.sign(com.auth0.jwt.algorithms.Algorithm.none());
  - pattern: |
      $NONE = com.auth0.jwt.algorithms.Algorithm.none();
      ...
      $JWT.sign($NONE);
  - pattern: |-
      class $CLASS {
        ...
        $TYPE $NONE = com.auth0.jwt.algorithms.Algorithm.none();
        ...
        $RETURNTYPE $FUNC (...) {
          ...
          $JWT.sign($NONE);
          ...
        }
        ...
      }