10: Create SecureRandomPlugin

src/main/java/com/bartek/esa/core/di/PluginModule.java

@@ -1,10 +1,7 @@
 package com.bartek.esa.core.di;
 
 import com.bartek.esa.core.archetype.Plugin;
-import com.bartek.esa.core.plugin.AllowBackupPlugin;
-import com.bartek.esa.core.plugin.DebuggablePlugin;
-import com.bartek.esa.core.plugin.LoggingPlugin;
-import com.bartek.esa.core.plugin.PermissionsRaceConditionPlugin;
+import com.bartek.esa.core.plugin.*;
 import com.bartek.esa.core.xml.XmlHelper;
 import com.bartek.esa.file.matcher.GlobMatcher;
 import dagger.Module;
@@ -47,4 +44,10 @@ public class PluginModule {
     public Plugin permissionRaceConditionPlugin(GlobMatcher globMatcher, XmlHelper xmlHelper) {
         return new PermissionsRaceConditionPlugin(globMatcher, xmlHelper);
     }
+
+    @Provides
+    @IntoSet
+    public Plugin secureRandomPlugin(GlobMatcher globMatcher, XmlHelper xmlHelper) {
+        return new SecureRandomPlugin(globMatcher, xmlHelper);
+    }
 }

src/main/java/com/bartek/esa/core/plugin/SecureRandomPlugin.java

@@ -0,0 +1,38 @@
+package com.bartek.esa.core.plugin;
+
+import com.bartek.esa.core.archetype.JavaPlugin;
+import com.bartek.esa.core.model.enumeration.Severity;
+import com.bartek.esa.core.xml.XmlHelper;
+import com.bartek.esa.file.matcher.GlobMatcher;
+import com.github.javaparser.ast.CompilationUnit;
+import com.github.javaparser.ast.NodeList;
+import com.github.javaparser.ast.expr.Expression;
+import com.github.javaparser.ast.expr.ObjectCreationExpr;
+import com.github.javaparser.ast.visitor.VoidVisitorAdapter;
+
+import javax.inject.Inject;
+
+public class SecureRandomPlugin extends JavaPlugin {
+
+    @Inject
+    public SecureRandomPlugin(GlobMatcher globMatcher, XmlHelper xmlHelper) {
+        super(globMatcher, xmlHelper);
+    }
+
+    @Override
+    public void run(CompilationUnit compilationUnit) {
+        compilationUnit.accept(new VoidVisitorAdapter<Void>() {
+            @Override
+            public void visit(ObjectCreationExpr objectCreation, Void arg) {
+                String identifier = objectCreation.getType().getName().getIdentifier();
+                NodeList<Expression> arguments = objectCreation.getArguments();
+
+                if(identifier.equals("SecureRandom") && arguments.isNonEmpty()) {
+                    addIssue(Severity.VULNERABILITY, getLineNumberFromExpression(objectCreation), objectCreation.toString());
+                }
+
+                super.visit(objectCreation, arg);
+            }
+        }, null);
+    }
+}

src/main/resources/description.properties

@@ -46,3 +46,7 @@ com.bartek.esa.core.plugin.PermissionsRaceConditionPlugin=Potential permissions
   There are declared custom permissions in AndroidManifest.xml and the minimal API version is set to less than 21.\n\
   It means that declared permissions can be obtained by malicious application installed before and without need of having 1proper signature.\n\
   Consider setting minimal API version to 21 at least.
+
+com.bartek.esa.core.plugin.SecureRandomPlugin=Initializing SecureRandom object with custom seed. \n\
+  Specifying custom seed for SecureRandom can produce predictable sequence of numbers. \n\
+  Please create SecureRandom object without any arguments instead.