feat(java): add Google Tink AEAD detection rules

csharp/src/main/java/com/ibm/plugin/rules/detection/CSharpDetectionRules.java

@@ -27,6 +27,7 @@
 import com.ibm.plugin.rules.detection.dotnet.DotNetECDiffieHellman;
 import com.ibm.plugin.rules.detection.dotnet.DotNetECDsa;
 import com.ibm.plugin.rules.detection.dotnet.DotNetHMAC;
+import com.ibm.plugin.rules.detection.dotnet.DotNetMLKem;
 import com.ibm.plugin.rules.detection.dotnet.DotNetRC2;
 import com.ibm.plugin.rules.detection.dotnet.DotNetRSA;
 import com.ibm.plugin.rules.detection.dotnet.DotNetRfc2898DeriveBytes;
@@ -56,7 +57,8 @@ public static List<IDetectionRule<CSharpTree>> rules() {
                         DotNetDSA.rules().stream(),
                         DotNetSHA.rules().stream(),
                         DotNetHMAC.rules().stream(),
-                        DotNetRfc2898DeriveBytes.rules().stream())
+                        DotNetRfc2898DeriveBytes.rules().stream(),
+                        DotNetMLKem.rules().stream())
                 .flatMap(i -> i)
                 .toList();
     }

csharp/src/main/java/com/ibm/plugin/rules/detection/dotnet/DotNetMLKem.java

@@ -0,0 +1,72 @@
+/*
+ * Sonar Cryptography Plugin
+ * Copyright (C) 2024 PQCA
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to you under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.ibm.plugin.rules.detection.dotnet;
+
+import com.ibm.engine.detection.MethodMatcher;
+import com.ibm.engine.language.csharp.tree.CSharpTree;
+import com.ibm.engine.model.context.KeyContext;
+import com.ibm.engine.model.factory.ValueActionFactory;
+import com.ibm.engine.rule.IDetectionRule;
+import com.ibm.engine.rule.builder.DetectionRuleBuilder;
+import java.util.List;
+import java.util.Map;
+import javax.annotation.Nonnull;
+
+/**
+ * Detection rules for ML-KEM (FIPS 203) in .NET 9+.
+ *
+ * <p>Detects key generation for all three parameter sets:
+ *
+ * <ul>
+ *   <li>{@code MLKem512.GenerateKey()}
+ *   <li>{@code MLKem768.GenerateKey()}
+ *   <li>{@code MLKem1024.GenerateKey()}
+ * </ul>
+ */
+@SuppressWarnings("java:S1192")
+public final class DotNetMLKem {
+
+    private DotNetMLKem() {
+        // nothing
+    }
+
+    private static IDetectionRule<CSharpTree> mlKemRule(String className, String value) {
+        return new DetectionRuleBuilder<CSharpTree>()
+                .createDetectionRule()
+                .forObjectTypes(className)
+                .forMethods("GenerateKey")
+                .shouldBeDetectedAs(new ValueActionFactory<>(value))
+                .withMethodParameter(MethodMatcher.ANY)
+                .buildForContext(new KeyContext(Map.of("kind", "MLKEM")))
+                .inBundle(() -> "DotNet")
+                .withoutDependingDetectionRules();
+    }
+
+    private static final IDetectionRule<CSharpTree> MLKEM_512 = mlKemRule("MLKem", "MLKEM512");
+
+    private static final IDetectionRule<CSharpTree> MLKEM_768 = mlKemRule("MLKem", "MLKEM768");
+
+    private static final IDetectionRule<CSharpTree> MLKEM_1024 = mlKemRule("MLKem", "MLKEM1024");
+
+    @Nonnull
+    public static List<IDetectionRule<CSharpTree>> rules() {
+        return List.of(MLKEM_512, MLKEM_768, MLKEM_1024);
+    }
+}

csharp/src/main/java/com/ibm/plugin/translation/translator/contexts/CSharpKeyContextTranslator.java

@@ -32,6 +32,7 @@
 import com.ibm.mapper.model.algorithms.DSA;
 import com.ibm.mapper.model.algorithms.ECDH;
 import com.ibm.mapper.model.algorithms.ECDSA;
+import com.ibm.mapper.model.algorithms.MLKEM;
 import com.ibm.mapper.model.algorithms.PBKDF2;
 import com.ibm.mapper.model.algorithms.RSA;
 import com.ibm.mapper.utils.DetectionLocation;
@@ -57,6 +58,7 @@ public final class CSharpKeyContextTranslator implements IContextTranslation<CSh
                 case "ECDH" -> Optional.of(new ECDH(detectionLocation));
                 case "DSA" -> Optional.of(new DSA(detectionLocation));
                 case "KDF" -> Optional.of(new PBKDF2(detectionLocation));
+                case "MLKEM" -> Optional.of(new MLKEM(detectionLocation));
                 default -> Optional.empty();
             };
         } else if (value instanceof KeySize<?> keySize) {

csharp/src/test/files/rules/detection/dotnet/DotNetMLKemTestFile.cs

@@ -0,0 +1,19 @@
+using System.Security.Cryptography;
+
+public class DotNetMLKemTest
+{
+    public void TestMLKem512()
+    {
+        var key = MLKem.GenerateKey(MLKemAlgorithm.MLKem512); // Noncompliant
+    }
+
+    public void TestMLKem768()
+    {
+        var key = MLKem.GenerateKey(MLKemAlgorithm.MLKem768); // Noncompliant
+    }
+
+    public void TestMLKem1024()
+    {
+        var key = MLKem.GenerateKey(MLKemAlgorithm.MLKem1024); // Noncompliant
+    }
+}

csharp/src/test/java/com/ibm/plugin/rules/detection/dotnet/DotNetMLKemTest.java

@@ -0,0 +1,72 @@
+/*
+ * Sonar Cryptography Plugin
+ * Copyright (C) 2024 PQCA
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to you under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.ibm.plugin.rules.detection.dotnet;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+import com.ibm.engine.detection.DetectionStore;
+import com.ibm.engine.language.csharp.CSharpCheck;
+import com.ibm.engine.language.csharp.CSharpScanContext;
+import com.ibm.engine.language.csharp.CSharpSymbol;
+import com.ibm.engine.language.csharp.tree.CSharpTree;
+import com.ibm.engine.model.IValue;
+import com.ibm.engine.model.ValueAction;
+import com.ibm.engine.model.context.KeyContext;
+import com.ibm.mapper.model.INode;
+import com.ibm.mapper.model.KeyEncapsulationMechanism;
+import com.ibm.plugin.CSharpVerifier;
+import com.ibm.plugin.TestBase;
+import java.util.List;
+import javax.annotation.Nonnull;
+import org.junit.jupiter.api.Test;
+
+class DotNetMLKemTest extends TestBase {
+
+    @Test
+    void test() throws Exception {
+        CSharpVerifier.verify("rules/detection/dotnet/DotNetMLKemTestFile.cs", this);
+    }
+
+    @Override
+    public void asserts(
+            int findingId,
+            @Nonnull
+                    DetectionStore<CSharpCheck, CSharpTree, CSharpSymbol, CSharpScanContext>
+                            detectionStore,
+            @Nonnull List<INode> nodes) {
+
+        /*
+         * Detection Store
+         */
+        assertThat(detectionStore.getDetectionValues()).hasSize(1);
+        assertThat(detectionStore.getDetectionValueContext()).isInstanceOf(KeyContext.class);
+        IValue<CSharpTree> value = detectionStore.getDetectionValues().get(0);
+        assertThat(value).isInstanceOf(ValueAction.class);
+        assertThat(value.asString()).isIn("MLKEM512", "MLKEM768", "MLKEM1024");
+
+        /*
+         * Translation
+         */
+        assertThat(nodes).hasSize(1);
+        INode node = nodes.get(0);
+        assertThat(node.getKind()).isEqualTo(KeyEncapsulationMechanism.class);
+        assertThat(node.asString()).startsWith("ML-KEM");
+    }
+}

java/pom.xml

@@ -55,6 +55,13 @@
             <version>1.83</version>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <!-- This dependency enables IDE linting in Tink test files -->
+            <groupId>com.google.crypto.tink</groupId>
+            <artifactId>tink</artifactId>
+            <version>1.21.0</version>
+            <scope>test</scope>
+        </dependency>
         <dependency>
             <groupId>com.google.guava</groupId>
             <artifactId>guava</artifactId>

java/src/main/java/com/ibm/plugin/rules/detection/JavaDetectionRules.java

@@ -23,6 +23,7 @@
 import com.ibm.plugin.rules.detection.bc.BouncyCastleDetectionRules;
 import com.ibm.plugin.rules.detection.jca.JcaDetectionRules;
 import com.ibm.plugin.rules.detection.ssl.SSLDetectionRules;
+import com.ibm.plugin.rules.detection.tink.TinkDetectionRules;
 import java.util.List;
 import java.util.stream.Stream;
 import javax.annotation.Nonnull;
@@ -38,7 +39,8 @@ public static List<IDetectionRule<Tree>> rules() {
         return Stream.of(
                         JcaDetectionRules.rules().stream(),
                         BouncyCastleDetectionRules.rules().stream(),
-                        SSLDetectionRules.rules().stream())
+                        SSLDetectionRules.rules().stream(),
+                        TinkDetectionRules.rules().stream())
                 .flatMap(i -> i)
                 .toList();
     }

java/src/main/java/com/ibm/plugin/rules/detection/tink/TinkAead.java

@@ -0,0 +1,133 @@
+/*
+ * Sonar Cryptography Plugin
+ * Copyright (C) 2024 PQCA
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to you under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.ibm.plugin.rules.detection.tink;
+
+import com.ibm.engine.detection.MethodMatcher;
+import com.ibm.engine.model.context.CipherContext;
+import com.ibm.engine.model.factory.ValueActionFactory;
+import com.ibm.engine.rule.IDetectionRule;
+import com.ibm.engine.rule.builder.DetectionRuleBuilder;
+import java.util.List;
+import javax.annotation.Nonnull;
+import org.sonar.plugins.java.api.tree.Tree;
+
+/**
+ * Detection rules for Google Tink AEAD.
+ *
+ * <p>Detects key generation and encrypt/decrypt operations:
+ *
+ * <ul>
+ *   <li>{@code KeysetHandle.generateNew(AeadKeyTemplates.AES128_GCM)}
+ *   <li>{@code KeysetHandle.generateNew(AeadKeyTemplates.AES256_GCM)}
+ *   <li>{@code KeysetHandle.generateNew(AeadKeyTemplates.AES128_CTR_HMAC_SHA256)}
+ *   <li>{@code KeysetHandle.generateNew(AeadKeyTemplates.AES256_CTR_HMAC_SHA256)}
+ *   <li>{@code aead.encrypt(plaintext, aad)}
+ *   <li>{@code aead.decrypt(ciphertext, aad)}
+ * </ul>
+ */
+@SuppressWarnings("java:S1192")
+public final class TinkAead {
+
+    private TinkAead() {
+        // nothing
+    }
+
+    // aead.encrypt(plaintext, aad)
+    private static final IDetectionRule<Tree> AEAD_ENCRYPT =
+            new DetectionRuleBuilder<Tree>()
+                    .createDetectionRule()
+                    .forObjectTypes("com.google.crypto.tink.Aead")
+                    .forMethods("encrypt")
+                    .shouldBeDetectedAs(new ValueActionFactory<>("ENCRYPT"))
+                    .withMethodParameter(MethodMatcher.ANY)
+                    .withMethodParameter(MethodMatcher.ANY)
+                    .buildForContext(new CipherContext())
+                    .inBundle(() -> "Tink")
+                    .withoutDependingDetectionRules();
+
+    // aead.decrypt(ciphertext, aad)
+    private static final IDetectionRule<Tree> AEAD_DECRYPT =
+            new DetectionRuleBuilder<Tree>()
+                    .createDetectionRule()
+                    .forObjectTypes("com.google.crypto.tink.Aead")
+                    .forMethods("decrypt")
+                    .shouldBeDetectedAs(new ValueActionFactory<>("DECRYPT"))
+                    .withMethodParameter(MethodMatcher.ANY)
+                    .withMethodParameter(MethodMatcher.ANY)
+                    .buildForContext(new CipherContext())
+                    .inBundle(() -> "Tink")
+                    .withoutDependingDetectionRules();
+
+    private static final List<IDetectionRule<Tree>> AEAD_OP_RULES =
+            List.of(AEAD_ENCRYPT, AEAD_DECRYPT);
+
+    // KeysetHandle.generateNew(AeadKeyTemplates.AES128_GCM)
+    private static final IDetectionRule<Tree> AES128_GCM =
+            new DetectionRuleBuilder<Tree>()
+                    .createDetectionRule()
+                    .forObjectTypes("com.google.crypto.tink.KeysetHandle")
+                    .forMethods("generateNew")
+                    .shouldBeDetectedAs(new ValueActionFactory<>("AES128_GCM"))
+                    .withAnyParameters()
+                    .buildForContext(new CipherContext())
+                    .inBundle(() -> "Tink")
+                    .withDependingDetectionRules(AEAD_OP_RULES);
+
+    // KeysetHandle.generateNew(AeadKeyTemplates.AES256_GCM)
+    private static final IDetectionRule<Tree> AES256_GCM =
+            new DetectionRuleBuilder<Tree>()
+                    .createDetectionRule()
+                    .forObjectTypes("com.google.crypto.tink.KeysetHandle")
+                    .forMethods("generateNew")
+                    .shouldBeDetectedAs(new ValueActionFactory<>("AES256_GCM"))
+                    .withAnyParameters()
+                    .buildForContext(new CipherContext())
+                    .inBundle(() -> "Tink")
+                    .withDependingDetectionRules(AEAD_OP_RULES);
+
+    // KeysetHandle.generateNew(AeadKeyTemplates.AES128_CTR_HMAC_SHA256)
+    private static final IDetectionRule<Tree> AES128_CTR_HMAC_SHA256 =
+            new DetectionRuleBuilder<Tree>()
+                    .createDetectionRule()
+                    .forObjectTypes("com.google.crypto.tink.KeysetHandle")
+                    .forMethods("generateNew")
+                    .shouldBeDetectedAs(new ValueActionFactory<>("AES128_CTR_HMAC_SHA256"))
+                    .withAnyParameters()
+                    .buildForContext(new CipherContext())
+                    .inBundle(() -> "Tink")
+                    .withDependingDetectionRules(AEAD_OP_RULES);
+
+    // KeysetHandle.generateNew(AeadKeyTemplates.AES256_CTR_HMAC_SHA256)
+    private static final IDetectionRule<Tree> AES256_CTR_HMAC_SHA256 =
+            new DetectionRuleBuilder<Tree>()
+                    .createDetectionRule()
+                    .forObjectTypes("com.google.crypto.tink.KeysetHandle")
+                    .forMethods("generateNew")
+                    .shouldBeDetectedAs(new ValueActionFactory<>("AES256_CTR_HMAC_SHA256"))
+                    .withAnyParameters()
+                    .buildForContext(new CipherContext())
+                    .inBundle(() -> "Tink")
+                    .withDependingDetectionRules(AEAD_OP_RULES);
+
+    @Nonnull
+    public static List<IDetectionRule<Tree>> rules() {
+        return List.of(AES128_GCM, AES256_GCM, AES128_CTR_HMAC_SHA256, AES256_CTR_HMAC_SHA256);
+    }
+}