Add CamBenchREAL secure usages #3

CamBench_Real/usages/EvoSuite_evosuite/35.yaml

@@ -0,0 +1,15 @@
+name: 35 - Secure Usage Permission
+api: java.security.Permission
+api_call: INVOKEVIRTUAL(java.security.Permission{ java.lang.String getActions() })
+description: Secure method call and usage of *Permission*.
+crypto-usage:
+    violation: false
+    FUM: No_constraint
+    location:
+        file: evosuite/runtime/src/main/java/org/evosuite/runtime/sandbox/MSecurityManager.java
+        method: private boolean checkIfEvoSuiteRMI(Permission perm)
+        line: "746"
+        root:
+            file: ""
+            method: ""
+            line: ""

CamBench_Real/usages/ant-media_Ant-Media-Server/44.yaml

@@ -0,0 +1,15 @@
+name: 44 - Secure Security Usage
+api: java.security.Security
+api_call: INVOKESTATIC(java.security.Security{ java.security.Provider[] getProviders() })
+description: Secure call of *getProviders*. While a provider may be insecure, the call to get all is the correct appraoch to retrieve all available providers.
+crypto-usage:
+    violation: false
+    FUM: No_constraint
+    location:
+        file: Ant-Media-Server/src/main/java/org/red5/server/net/rtmps/RTMPSMinaIoHandler.java
+        method: '-'
+        line: "118"
+        root:
+            file: ""
+            method: ""
+            line: ""

CamBench_Real/usages/ant-media_Ant-Media-Server/62.yaml

@@ -0,0 +1,15 @@
+name: 62 - Secure DHPublicKey Usage
+api: javax.crypto.interfaces.DHPublicKey
+api_call: INVOKEINTERFACE(javax.crypto.interfaces.DHPublicKey{ java.math.BigInteger getY() })
+description: Secure call of *getY()*. Y is part of the ephemeral key Y, y, and result in a DH public key. While the key may be too small, this characteristic is not reflected in this call sequence.
+crypto-usage:
+    violation: false
+    FUM: No_constraint
+    location:
+        file: Ant-Media-Server/src/main/java/org/red5/server/net/rtmp/RTMPHandshake.java
+        method: protected byte[] getPublicKey(KeyPair keyPair)
+        line: "270"
+        root:
+            file: ""
+            method: ""
+            line: ""

CamBench_Real/usages/apache_pdfbox/64.yaml

@@ -0,0 +1,15 @@
+name: 64 - Secure Generation of AES-192 Key
+api: javax.crypto.KeyGenerator
+api_call: INVOKEVIRTUAL(javax.crypto.KeyGenerator{ javax.crypto.SecretKey generateKey() })
+description: Secure generation of AES-192 key for the call sequence. Note, that not all providers support a AES-192 key size [more details](https://docs.oracle.com/en/java/javase/17/docs/api/java.base/javax/crypto/KeyGenerator.html)
+crypto-usage:
+    violation: false
+    FUM: Argument_State
+    location:
+        file: pdfbox/pdfbox/src/main/java/org/apache/pdfbox/pdmodel/encryption/PublicKeySecurityHandler.java
+        method: public void prepareDocumentForEncryption(PDDocument doc) throws IOException
+        line: "356"
+        root:
+            file: ""
+            method: ""
+            line: ""

CamBench_Real/usages/apache_struts/43.yaml

@@ -0,0 +1,15 @@
+name: 43 - Secure Usage of Secure Random
+api: java.security.SecureRandom
+api_call: INVOKESPECIAL(java.security.SecureRandom{ void <init>() })
+description: Secure initialization of a *SecureRandom* object.
+crypto-usage:
+    violation: false
+    FUM: No_constraint
+    location:
+        file: struts/core/src/main/java/org/apache/struts2/interceptor/csp/DefaultCspSettings.java
+        method: public class DefaultCspSettings implements CspSettings
+        line: "40"
+        root:
+            file: ""
+            method: ""
+            line: ""

CamBench_Real/usages/belaban_JGroups/103.yaml

@@ -0,0 +1,15 @@
+name: 103 - Secure Usage of X509EncodedKeySpec
+api: java.security.spec.X509EncodedKeySpec
+api_call: INVOKESPECIAL(java.security.spec.X509EncodedKeySpec{ void <init>(byte[]) })
+description: Secure Usage of *X509EncodedKeySpec* that get public information of a key.
+crypto-usage:
+    violation: false
+    FUM: Argument_State
+    location:
+        file: JGroups/src/org/jgroups/protocols/ASYM_ENCRYPT.java
+        method: protected PublicKey makePublicKey(byte[] encodedKey)
+        line: "636"
+        root:
+            file: ""
+            method: ""
+            line: ""

CamBench_Real/usages/belaban_JGroups/135.yaml

@@ -0,0 +1,15 @@
+name: '135 - Invocation isEqual of MessageDigest' 
+api: java.security.MessageDigest
+api_call: INVOKESTATIC(java.security.MessageDigest{ boolean isEqual(byte[]|byte[]) })
+description: "Secure call of method *isEqual* to compare information from an input stream with a pascode digest."
+crypto-usage:
+    violation: false
+    FUM: Argument_State
+    location:
+        file: JGroups/src/org/jgroups/stack/DiagnosticsHandler.java
+        method: 'protected int authorizeProbeRequest(DatagramPacket packet) throws Exception'
+        line: "332"
+        root:
+            file: ""
+            method: ""
+            line: ""

CamBench_Real/usages/dbeaver_dbeaver/36.yaml

@@ -0,0 +1,15 @@
+name: 36 - Secure Usage of Permissions
+api: java.security.Permissions
+api_call: INVOKESPECIAL(java.security.Permissions{ void <init>() })
+description: Secure instantiation of *Permissions*.
+crypto-usage:
+    violation: false
+    FUM: No_constraint
+    location:
+        file: dbeaver/plugins/org.jkiss.dbeaver.model/src/org/jkiss/dbeaver/utils/SecurityManagerUtils.java
+        method: public static AccessControlContext controlContextOf(List<Permission> permissions)
+        line: "72"
+        root:
+            file: ""
+            method: ""
+            line: ""

CamBench_Real/usages/dnsjava_dnsjava/19.yaml

@@ -0,0 +1,15 @@
+name: 19 - Secure Usage of DSAParams
+api: java.security.interfaces.DSAParams
+api_call: INVOKEINTERFACE(java.security.interfaces.DSAParams{ java.math.BigInteger getP() })
+description: Secure call sequence of *DSAParams*.
+crypto-usage:
+    violation: false
+    FUM: No_constraint
+    location:
+        file: dnsjava/src/main/java/org/xbill/DNS/DNSSEC.java
+        method: private static byte[] fromDSAPublicKey(DSAPublicKey key)
+        line: "670"
+        root:
+            file: ""
+            method: ""
+            line: ""

CamBench_Real/usages/dnsjava_dnsjava/26.yaml

@@ -0,0 +1,15 @@
+name: 26 - Secure Usage of RSAPublicKey
+api: java.security.interfaces.RSAPublicKey
+api_call: INVOKEINTERFACE(java.security.interfaces.RSAPublicKey{ java.math.BigInteger getModulus() })
+description: The call sequence to retrieve a RSA public key is secure.
+crypto-usage:
+    violation: false
+    FUM: No_constraint
+    location:
+        file: dnsjava/src/main/java/org/xbill/DNS/dnssec/NSEC3ValUtils.java
+        method: private boolean validIterations(SRRset nsec, KeyCache keyCache)
+        line: "336"
+        root:
+            file: ""
+            method: ""
+            line: ""

CamBench_Real/usages/dnsjava_dnsjava/47.yaml

@@ -0,0 +1,15 @@
+name: 47 - Secure Usage of ECParameterSpec
+api: java.security.spec.ECParameterSpec
+api_call: INVOKEVIRTUAL(java.security.spec.ECParameterSpec{ java.security.spec.EllipticCurve getCurve() })
+description: The call on *ECParameterSpec* is secure and only retrieves the *EllipticCurve* based on a public key.
+crypto-usage:
+    violation: false
+    FUM: No_constraint
+    location:
+        file: dnsjava/src/main/java/org/xbill/DNS/dnssec/NSEC3ValUtils.java
+        method: private boolean validIterations(SRRset nsec, KeyCache keyCache)
+        line: "347"
+        root:
+            file: ""
+            method: ""
+            line: ""

CamBench_Real/usages/dnsjava_dnsjava/51.yaml

@@ -0,0 +1,15 @@
+name: 51 - Secure Usage of elliptic curves
+api: java.security.spec.EllipticCurve
+api_call: INVOKEVIRTUAL(java.security.spec.EllipticCurve{ java.security.spec.ECField getField() })
+description: The call sequence on *EllipticCurve* is secure and retrieves the fields based on a public key.
+crypto-usage:
+    violation: false
+    FUM: No_constraint
+    location:
+        file: dnsjava/src/main/java/org/xbill/DNS/dnssec/NSEC3ValUtils.java
+        method: private boolean validIterations(SRRset nsec, KeyCache keyCache)
+        line: "348"
+        root:
+            file: ""
+            method: ""
+            line: ""

CamBench_Real/usages/dnsjava_dnsjava/96.yaml

@@ -0,0 +1,15 @@
+name: 96 - Secure Usage of PublicKey
+api: java.security.PublicKey
+api_call: INVOKEINTERFACE(java.security.PublicKey{ java.lang.String getFormat() })
+description: Compares the format of a *PublicKey* against a hard-coded string.
+crypto-usage:
+    violation: false
+    FUM: No_constraint
+    location:
+        file: dnsjava/src/main/java/org/xbill/DNS/DNSSEC.java
+        method: static byte[] fromPublicKey(PublicKey key, int alg) throws DNSSECException
+        line: "749"
+        root:
+            file: ""
+            method: ""
+            line: ""

CamBench_Real/usages/dnsjava_dnsjava/97.yaml

@@ -0,0 +1,15 @@
+name: 97 - Secure Usage of ECPoint
+api: java.security.spec.ECPoint
+api_call: INVOKEVIRTUAL(java.security.spec.ECPoint{ java.math.BigInteger getAffineY() })
+description: Creates a public *ECPoint* for a passed key. Sharing a secure public point should not cause a security risk.
+crypto-usage:
+    violation: false
+    FUM: No_constraint
+    location:
+        file: dnsjava/src/main/java/org/xbill/DNS/DNSSEC.java
+        method: private static byte[] fromECGOSTPublicKey(ECPublicKey key, ECKeyInfo keyinfo)
+        line: "688"
+        root:
+            file: ""
+            method: ""
+            line: ""

CamBench_Real/usages/eclipse-vertx_vert.x/100.yaml

@@ -0,0 +1,15 @@
+name: 100 - Create RSAPrivateCrtKeySpec from DER
+api: java.security.spec.RSAPrivateCrtKeySpec
+api_call: INVOKESPECIAL(java.security.spec.RSAPrivateCrtKeySpec{ void <init>(java.math.BigInteger|java.math.BigInteger|java.math.BigInteger|java.math.BigInteger|java.math.BigInteger|java.math.BigInteger|java.math.BigInteger|java.math.BigInteger) })
+description: Initialization of *RSAPrivateCrtKeySpec* based on key bytes in der-format.
+crypto-usage:
+    violation: false
+    FUM: High-Level_Constraints
+    location:
+        file: vert.x/src/main/java/io/vertx/core/net/impl/pkcs1/PrivateKeyParser.java
+        method: public static RSAPrivateCrtKeySpec getRSAKeySpec(byte[] keyBytes) throws VertxException
+        line: "232"
+        root:
+            file: ""
+            method: ""
+            line: ""

CamBench_Real/usages/igniterealtime_Openfire/113.yaml

@@ -0,0 +1,15 @@
+name: '113 - Secure Usage of CollectionCertStoreParameters'
+api: java.security.cert.CollectionCertStoreParameters
+api_call: INVOKESPECIAL(java.security.cert.CollectionCertStoreParameters{ void <init>(java.util.Collection) })
+description: "Secure initialization and usage of *CollectionCertStoreParameters*."
+crypto-usage:
+    violation: false
+    FUM: No_constraint
+    location:
+        file: Openfire/xmppserver/src/main/java/org/jivesoftware/openfire/net/ClientTrustManager.java
+        method: public ClientTrustManager(KeyStore trustTrust)
+        line: "103"
+        root:
+            file: ""
+            method: ""
+            line: ""

CamBench_Real/usages/igniterealtime_Openfire/114.yaml

@@ -0,0 +1,15 @@
+name: '114 - Secure Call to Retrieve TrustAnchors'
+api: java.security.cert.PKIXParameters
+api_call: INVOKEVIRTUAL(java.security.cert.PKIXParameters{ java.util.Set getTrustAnchors() })
+description: "Retrieve trust anchors from PKIXParameters."
+crypto-usage:
+    violation: false
+    FUM: No_constraint
+    location:
+        file: Openfire/xmppserver/src/main/java/org/jivesoftware/openfire/net/OCSPChecker.java
+        method: public void check(Certificate cert, Collection<String> unresolvedCritExts) throws CertPathValidatorException
+        line: "153"
+        root:
+            file: ""
+            method: ""
+            line: ""

CamBench_Real/usages/igniterealtime_Openfire/14.yaml

@@ -0,0 +1,15 @@
+name: 14 - Secure X509CertSelector Usage
+api: java.security.cert.X509CertSelector
+api_call: INVOKEVIRTUAL(java.security.cert.X509CertSelector{ void setCertificate(java.security.cert.X509Certificate) })
+description: Secure usage of the *X509CertSelector*.
+crypto-usage:
+    violation: false
+    FUM: Argument_Type
+    location:
+        file: Openfire/xmppserver/src/main/java/org/jivesoftware/openfire/keystore/TrustStore.java
+        method: public X509Certificate getEndEntityCertificate( Certificate chain[] )
+        line: "165"
+        root:
+            file: ""
+            method: ""
+            line: ""

CamBench_Real/usages/igniterealtime_Openfire/31.yaml

@@ -0,0 +1,15 @@
+name: 31 - Secure Usage of KeyStore
+api: java.security.KeyStore
+api_call: INVOKEVIRTUAL(java.security.KeyStore{ java.security.cert.Certificate getCertificate(java.lang.String) })
+description: Secure call sequence of *KeyStore* that gets a certificate.
+crypto-usage:
+    violation: false
+    FUM: Argument_State/String_Format
+    location:
+        file: 'Openfire/xmppserver/src/main/java/org/jivesoftware/openfire/keystore/TrustStore.java '
+        method: public X509Certificate getEndEntityCertificate( Certificate chain[] )
+        line: "155"
+        root:
+            file: ""
+            method: ""
+            line: ""

CamBench_Real/usages/igniterealtime_Openfire/7.yaml

@@ -0,0 +1,15 @@
+name: 7 - Secure Usage of CertPathValidator
+api: java.security.cert.CertPathValidator
+api_call: INVOKESTATIC(java.security.cert.CertPathValidator{ java.security.cert.CertPathValidator getInstance(java.lang.String) })
+description: Secure instantiation of *CertPathValidator*.
+crypto-usage:
+    violation: false
+    FUM: Argument_State/String_Format
+    location:
+        file: Openfire/xmppserver/src/main/java/org/jivesoftware/openfire/net/ClientTrustManager.java
+        method: public void checkClientTrusted(X509Certificate[] x509Certificates, String string) throws CertificateException
+        line: "270"
+        root:
+            file: ""
+            method: ""
+            line: ""

CamBench_Real/usages/igniterealtime_Openfire/77.yaml

@@ -0,0 +1,15 @@
+name: 77 - Secure Usage of CertStore
+api: java.security.cert.CertStore
+api_call: INVOKESTATIC(java.security.cert.CertStore{ java.security.cert.CertStore getInstance(java.lang.String|java.security.cert.CertStoreParameters) })
+description: Secure constructor call of *CertStore* for a collection, the only supported on every Java plattform.
+crypto-usage:
+    violation: false
+    FUM: Argument_State
+    location:
+        file: Openfire/xmppserver/src/main/java/org/jivesoftware/openfire/keystore/TrustStore.java
+        method: public X509Certificate getEndEntityCertificate( Certificate chain[] )
+        line: "163"
+        root:
+            file: ""
+            method: ""
+            line: ""

CamBench_Real/usages/igniterealtime_Openfire/80.yaml

@@ -0,0 +1,15 @@
+name: 80 - Get TrustAnchor
+api: java.security.cert.TrustAnchor
+api_call: INVOKEVIRTUAL(java.security.cert.TrustAnchor{ java.security.cert.X509Certificate getTrustedCert() })
+description: Only retrieve a *TrustAnchor*. Retrieving the *TrustAnchor* should not cause a vulnerability.
+crypto-usage:
+    violation: false
+    FUM: No_constraint
+    location:
+        file: Openfire/xmppserver/src/main/java/org/jivesoftware/openfire/net/ClientTrustManager.java
+        method: public void checkClientTrusted(X509Certificate[] x509Certificates, String string) throws CertificateException
+        line: "290"
+        root:
+            file: ""
+            method: ""
+            line: ""

CamBench_Real/usages/igniterealtime_Openfire/94.yaml

@@ -0,0 +1,15 @@
+name: 94 - Secure ProtectionDomain
+api: java.security.ProtectionDomain
+api_call: INVOKEVIRTUAL(java.security.ProtectionDomain{ java.security.CodeSource getCodeSource() })
+description: Call to get a *ProtectionDomain* and retrieve further information such as the location. Thus, we consider the usage as secure.
+crypto-usage:
+    violation: false
+    FUM: No_constraint
+    location:
+        file: Openfire/xmppserver/src/main/java/org/jivesoftware/openfire/auth/NativeAuthProvider.java
+        method: public class NativeAuthProvider implements AuthProvider {
+        line: "86"
+        root:
+            file: ""
+            method: ""
+            line: ""

CamBench_Real/usages/jchambers_pushy/22.yaml

@@ -0,0 +1,15 @@
+name: 22 - Secure Usage of ECPrivateKey
+api: java.security.interfaces.ECPrivateKey
+api_call: INVOKEINTERFACE(java.security.interfaces.ECPrivateKey{ byte[] getEncoded() })
+description: Secure method invocation on *ECPrivateKey* object to retrieve the encoding of a key.
+crypto-usage:
+    violation: false
+    FUM: No_constraint
+    location:
+        file: pushy/pushy/src/main/java/com/eatthepath/pushy/apns/auth/ApnsSigningKey.java
+        method: public byte[] getEncoded()
+        line: "84"
+        root:
+            file: ""
+            method: ""
+            line: ""

CamBench_Real/usages/jchambers_pushy/23.yaml

@@ -0,0 +1,15 @@
+name: 23 - Secure Usage of ECPublicKey
+api: java.security.interfaces.ECPublicKey
+api_call: INVOKEINTERFACE(java.security.interfaces.ECPublicKey{ java.lang.String getFormat() })
+description: Secure method invocation on *ECPublicKey* object to retrieve the format of a key.
+crypto-usage:
+    violation: false
+    FUM: No_constraint
+    location:
+        file: pushy/pushy/src/main/java/com/eatthepath/pushy/apns/auth/ApnsVerificationKey.java
+        method: public String getFormat()
+        line: "86"
+        root:
+            file: ""
+            method: ""
+            line: ""