semgrep · 0xDC0DE · Mar 30, 2026
diff --git a/java/lang/security/audit/blowfish-insufficient-key-size.java b/java/lang/security/audit/blowfish-insufficient-key-size.java
@@ -17,6 +17,12 @@ public void safeKeySize() {
         keyGen.init(128);
     }
 
+    public void unsafeKeySize_lowercase() {
+        // ruleid: blowfish-insufficient-key-size
+        KeyGenerator keyGen = KeyGenerator.getInstance("blowfish");
+        keyGen.init(64);
+    }
+
     public void superSafeKeySize() {
         // ok: blowfish-insufficient-key-size
         KeyGenerator keyGen = KeyGenerator.getInstance("Blowfish");

diff --git a/java/lang/security/audit/blowfish-insufficient-key-size.yaml b/java/lang/security/audit/blowfish-insufficient-key-size.yaml
@@ -31,9 +31,12 @@ rules:
   - java
   patterns:
   - pattern: |
-      $KEYGEN = KeyGenerator.getInstance("Blowfish");
+      $KEYGEN = KeyGenerator.getInstance("$ALG");
       ...
       $KEYGEN.init($SIZE);
+  - metavariable-regex:
+      metavariable: $ALG
+      regex: (?i)^Blowfish$
   - metavariable-comparison:
       metavariable: $SIZE
       comparison: $SIZE < 128
diff --git a/java/lang/security/audit/cbc-padding-oracle.fixed.java b/java/lang/security/audit/cbc-padding-oracle.fixed.java
@@ -22,6 +22,13 @@ protected void danger(HttpServletRequest req, HttpServletResponse resp) throws S
         byte[] cipherText = c.doFinal(plainText);
     }
 
+    protected void danger_lowercase(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+        // ruleid:cbc-padding-oracle
+        Cipher c = Cipher.getInstance("AES/GCM/NoPadding");
+        c.init(Cipher.ENCRYPT_MODE, k, iv);
+        byte[] cipherText = c.doFinal(plainText);
+    }
+
     protected void ok(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
         // ok:cbc-padding-oracle
         Cipher c = Cipher.getInstance("AES/GCM/NoPadding");

diff --git a/java/lang/security/audit/cbc-padding-oracle.java b/java/lang/security/audit/cbc-padding-oracle.java
@@ -22,6 +22,13 @@ protected void danger(HttpServletRequest req, HttpServletResponse resp) throws S
         byte[] cipherText = c.doFinal(plainText);
     }
 
+    protected void danger_lowercase(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+        // ruleid:cbc-padding-oracle
+        Cipher c = Cipher.getInstance("aes/cbc/pkcs5padding");
+        c.init(Cipher.ENCRYPT_MODE, k, iv);
+        byte[] cipherText = c.doFinal(plainText);
+    }
+
     protected void ok(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
         // ok:cbc-padding-oracle
         Cipher c = Cipher.getInstance("AES/GCM/NoPadding");

diff --git a/java/lang/security/audit/cbc-padding-oracle.yaml b/java/lang/security/audit/cbc-padding-oracle.yaml
@@ -33,6 +33,6 @@ rules:
   languages:
   - java
   patterns:
-  - pattern-inside: Cipher.getInstance("=~/.*\/CBC\/PKCS5Padding/")
+  - pattern-inside: Cipher.getInstance("=~/(?i).*\/CBC\/PKCS5Padding/")
   - pattern: |
-      "=~/.*\/CBC\/PKCS5Padding/"
+      "=~/(?i).*\/CBC\/PKCS5Padding/"
diff --git a/java/lang/security/audit/crypto/des-is-deprecated.fixed.java b/java/lang/security/audit/crypto/des-is-deprecated.fixed.java
@@ -29,6 +29,20 @@ protected void danger2(HttpServletRequest req, HttpServletResponse resp) throws
         byte[] cipherText = c.doFinal(plainText);
     }
 
+    protected void danger_lowercase(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+        // ruleid: des-is-deprecated
+        Cipher c = Cipher.getInstance("AES/GCM/NoPadding");
+        c.init(Cipher.ENCRYPT_MODE, k, iv);
+        byte[] cipherText = c.doFinal(plainText);
+    }
+
+    protected void danger_lowercase_with_mode(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+        // ruleid: des-is-deprecated
+        Cipher c = Cipher.getInstance("AES/GCM/NoPadding");
+        c.init(Cipher.ENCRYPT_MODE, k, iv);
+        byte[] cipherText = c.doFinal(plainText);
+    }
+
     protected void ok(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
         // ok: des-is-deprecated
         Cipher c = Cipher.getInstance("AES/GCM/NoPadding");

diff --git a/java/lang/security/audit/crypto/des-is-deprecated.java b/java/lang/security/audit/crypto/des-is-deprecated.java
@@ -29,6 +29,20 @@ protected void danger2(HttpServletRequest req, HttpServletResponse resp) throws
         byte[] cipherText = c.doFinal(plainText);
     }
 
+    protected void danger_lowercase(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+        // ruleid: des-is-deprecated
+        Cipher c = Cipher.getInstance("des");
+        c.init(Cipher.ENCRYPT_MODE, k, iv);
+        byte[] cipherText = c.doFinal(plainText);
+    }
+
+    protected void danger_lowercase_with_mode(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+        // ruleid: des-is-deprecated
+        Cipher c = Cipher.getInstance("des/ecb/pkcs5padding");
+        c.init(Cipher.ENCRYPT_MODE, k, iv);
+        byte[] cipherText = c.doFinal(plainText);
+    }
+
     protected void ok(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
         // ok: des-is-deprecated
         Cipher c = Cipher.getInstance("AES/GCM/NoPadding");

diff --git a/java/lang/security/audit/crypto/des-is-deprecated.yaml b/java/lang/security/audit/crypto/des-is-deprecated.yaml
@@ -34,13 +34,13 @@ rules:
   severity: WARNING
   patterns:
   - pattern-either:
-    - pattern-inside: $CIPHER.getInstance("=~/DES/.*/")
-    - pattern-inside: $CIPHER.getInstance("DES")
+    - pattern-inside: $CIPHER.getInstance("=~/(?i)DES/.*/")
+    - pattern-inside: $CIPHER.getInstance("=~/(?i)^DES$/")
   - pattern-either:
     - pattern: |
-        "=~/DES/.*/"
+        "=~/(?i)DES/.*/"
     - pattern: |
-        "DES"
+        "=~/(?i)^DES$/"
   fix: |
     "AES/GCM/NoPadding"
   languages:

diff --git a/java/lang/security/audit/crypto/desede-is-deprecated.java b/java/lang/security/audit/crypto/desede-is-deprecated.java
@@ -22,6 +22,13 @@ protected void danger(HttpServletRequest req, HttpServletResponse resp) throws S
         byte[] cipherText = c.doFinal(plainText);
     }
 
+    protected void danger_lowercase(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+        // ruleid: desede-is-deprecated
+        Cipher c = Cipher.getInstance("desede/ecb/pkcs5padding");
+        c.init(Cipher.ENCRYPT_MODE, k, iv);
+        byte[] cipherText = c.doFinal(plainText);
+    }
+
     protected void ok(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
         // ok: desede-is-deprecated
         Cipher c = Cipher.getInstance("AES/GCM/NoPadding");

diff --git a/java/lang/security/audit/crypto/desede-is-deprecated.yaml b/java/lang/security/audit/crypto/desede-is-deprecated.yaml
@@ -27,9 +27,13 @@ rules:
   patterns:
   - pattern-either:
     - pattern: |
-        $CIPHER.getInstance("=~/DESede.*/")
-    - pattern: |
-        $CRYPTO.KeyGenerator.getInstance("DES")
+        $CIPHER.getInstance("=~/(?i)DESede.*/")
+    - patterns:
+      - pattern: |
+          $CRYPTO.KeyGenerator.getInstance("$ALG")
+      - metavariable-regex:
+          metavariable: $ALG
+          regex: (?i)^DES$
   languages:
   - java
   - kt
diff --git a/java/lang/security/audit/crypto/ecb-cipher.java b/java/lang/security/audit/crypto/ecb-cipher.java
@@ -6,6 +6,13 @@ public void ecbCipher() {
     c.init(Cipher.ENCRYPT_MODE, k, iv);
     byte[] cipherText = c.doFinal(plainText);
   }
+  public void ecbCipher_lowercase() {
+    // ruleid: ecb-cipher
+    Cipher c = Cipher.getInstance("aes/ecb/nopadding");
+    c.init(Cipher.ENCRYPT_MODE, k, iv);
+    byte[] cipherText = c.doFinal(plainText);
+  }
+
   public void noEcbCipher() {
     // ok: ecb-cipher
     Cipher c = Cipher.getInstance("AES/GCM/NoPadding");

diff --git a/java/lang/security/audit/crypto/ecb-cipher.yaml b/java/lang/security/audit/crypto/ecb-cipher.yaml
@@ -34,4 +34,4 @@ rules:
       Cipher $VAR = $CIPHER.getInstance($MODE);
   - metavariable-regex:
       metavariable: $MODE
-      regex: .*ECB.*
+      regex: (?i).*ECB.*
diff --git a/java/lang/security/audit/crypto/rsa-no-padding.java b/java/lang/security/audit/crypto/rsa-no-padding.java
@@ -9,6 +9,11 @@ public void rsaNoPadding2() {
     useCipher(Cipher.getInstance("RSA/None/NoPadding"));
   }
 
+  public void rsaNoPadding_lowercase() {
+    // ruleid: rsa-no-padding
+    Cipher.getInstance("rsa/none/nopadding");
+  }
+
   public void rsaPadding() {
     // ok: rsa-no-padding
     Cipher.getInstance("RSA/ECB/OAEPWithMD5AndMGF1Padding");

diff --git a/java/lang/security/audit/crypto/rsa-no-padding.yaml b/java/lang/security/audit/crypto/rsa-no-padding.yaml
@@ -32,4 +32,4 @@ rules:
   languages:
   - java
   - kt
-  pattern: $CIPHER.getInstance("=~/RSA/[Nn][Oo][Nn][Ee]/NoPadding/") 
+  pattern: $CIPHER.getInstance("=~/(?i)RSA/None/NoPadding/") 
diff --git a/java/lang/security/audit/crypto/use-of-aes-ecb.java b/java/lang/security/audit/crypto/use-of-aes-ecb.java
@@ -9,6 +9,16 @@ public void useofAES2() {
     useCipher(Cipher.getInstance("AES/ECB/PKCS5Padding"));
   }
 
+  public void useofAES_lowercase() {
+    // ruleid: use-of-aes-ecb
+    Cipher.getInstance("aes/ecb/nopadding");
+  }
+
+  public void useofAES_mixedcase() {
+    // ruleid: use-of-aes-ecb
+    Cipher.getInstance("Aes/Ecb/NoPadding");
+  }
+
   public void ok() {
     // ok: use-of-aes-ecb
     Cipher.getInstance("AES/CBC/PKCS7PADDING");

diff --git a/java/lang/security/audit/crypto/use-of-aes-ecb.yaml b/java/lang/security/audit/crypto/use-of-aes-ecb.yaml
@@ -1,6 +1,10 @@
 rules:
 - id: use-of-aes-ecb
-  pattern: $CIPHER.getInstance("=~/AES/ECB.*/") 
+  patterns:
+  - pattern: $CIPHER.getInstance("$ALG")
+  - metavariable-regex:
+      metavariable: $ALG
+      regex: (?i)^AES/ECB
   metadata:
     functional-categories:
       - 'crypto::search::mode::javax.crypto'

diff --git a/java/lang/security/audit/crypto/use-of-blowfish.java b/java/lang/security/audit/crypto/use-of-blowfish.java
@@ -9,6 +9,16 @@ public void useofBlowfish2() {
     useCipher(Cipher.getInstance("Blowfish"));
   }
 
+  public void useofBlowfish_lowercase() {
+    // ruleid: use-of-blowfish
+    Cipher.getInstance("blowfish");
+  }
+
+  public void useofBlowfish_uppercase() {
+    // ruleid: use-of-blowfish
+    Cipher.getInstance("BLOWFISH");
+  }
+
   public void ok() {
     // ok: use-of-blowfish
     Cipher.getInstance("AES/CBC/PKCS7PADDING");

diff --git a/java/lang/security/audit/crypto/use-of-blowfish.yaml b/java/lang/security/audit/crypto/use-of-blowfish.yaml
@@ -1,6 +1,10 @@
 rules:
 - id: use-of-blowfish
-  pattern: $CIPHER.getInstance("Blowfish") 
+  patterns:
+  - pattern: $CIPHER.getInstance("$ALG")
+  - metavariable-regex:
+      metavariable: $ALG
+      regex: (?i)^Blowfish$
   metadata:
     functional-categories:
       - 'crypto::search::symmetric-algorithm::javax.crypto'

diff --git a/java/lang/security/audit/crypto/use-of-default-aes.java b/java/lang/security/audit/crypto/use-of-default-aes.java
@@ -47,6 +47,11 @@ public void useofAES2() {
     useCipher(javax.crypto.KeyGenerator.getInstance("AES"));
   }
 
+  public void useofAES_lowercase() {
+    // ruleid: use-of-default-aes
+    Cipher.getInstance("aes");
+  }
+
   public void ok() {
     // ok: use-of-default-aes
     Cipher.getInstance("AES/CBC/PKCS7PADDING");

diff --git a/java/lang/security/audit/crypto/use-of-default-aes.yaml b/java/lang/security/audit/crypto/use-of-default-aes.yaml
@@ -7,8 +7,8 @@ rules:
                   import javax;
                   ...
           - pattern-either:
-              - pattern: javax.crypto.Cipher.getInstance("AES")
-              - pattern: (javax.crypto.Cipher $CIPHER).getInstance("AES")
+              - pattern: javax.crypto.Cipher.getInstance("=~/(?i)^AES$/")
+              - pattern: (javax.crypto.Cipher $CIPHER).getInstance("=~/(?i)^AES$/")
       - patterns:
           - pattern-either:
               - pattern-inside: |
@@ -18,8 +18,8 @@ rules:
                   import javax.crypto;
                   ...
           - pattern-either:
-              - pattern: crypto.Cipher.getInstance("AES")
-              - pattern: (crypto.Cipher $CIPHER).getInstance("AES")
+              - pattern: crypto.Cipher.getInstance("=~/(?i)^AES$/")
+              - pattern: (crypto.Cipher $CIPHER).getInstance("=~/(?i)^AES$/")
       - patterns:
           - pattern-either:
               - pattern-inside: |
@@ -29,8 +29,8 @@ rules:
                   import javax.crypto.Cipher;
                   ...
           - pattern-either:
-              - pattern: Cipher.getInstance("AES")
-              - pattern: (Cipher $CIPHER).getInstance("AES")
+              - pattern: Cipher.getInstance("=~/(?i)^AES$/")
+              - pattern: (Cipher $CIPHER).getInstance("=~/(?i)^AES$/")
     metadata:
       functional-categories:
         - 'crypto::search::mode::javax.crypto'

diff --git a/java/lang/security/audit/crypto/use-of-rc2.java b/java/lang/security/audit/crypto/use-of-rc2.java
@@ -9,6 +9,16 @@ public void useofRC2b() {
     useCipher(Cipher.getInstance("RC2"));
   }
 
+  public void useofRC2_lowercase() {
+    // ruleid: use-of-rc2
+    Cipher.getInstance("rc2");
+  }
+
+  public void useofRC2_mixedcase() {
+    // ruleid: use-of-rc2
+    Cipher.getInstance("Rc2");
+  }
+
   public void ok() {
     // ok: use-of-rc2
     Cipher.getInstance("AES/CBC/PKCS7PADDING");

diff --git a/java/lang/security/audit/crypto/use-of-rc2.yaml b/java/lang/security/audit/crypto/use-of-rc2.yaml
@@ -1,6 +1,10 @@
 rules:
 - id: use-of-rc2
-  pattern: $CIPHER.getInstance("RC2") 
+  patterns:
+  - pattern: $CIPHER.getInstance("$ALG")
+  - metavariable-regex:
+      metavariable: $ALG
+      regex: (?i)^RC2$
   metadata:
     functional-categories:
       - 'crypto::search::symmetric-algorithm::javax.crypto'

diff --git a/java/lang/security/audit/crypto/use-of-rc4.java b/java/lang/security/audit/crypto/use-of-rc4.java
@@ -9,6 +9,16 @@ public void useofRC4b() {
     useCipher(Cipher.getInstance("RC4"));
   }
 
+  public void useofRC4_lowercase() {
+    // ruleid: use-of-rc4
+    Cipher.getInstance("rc4");
+  }
+
+  public void useofRC4_mixedcase() {
+    // ruleid: use-of-rc4
+    Cipher.getInstance("Rc4");
+  }
+
   public void ok() {
     // ok: use-of-rc4 
     Cipher.getInstance("AES/CBC/PKCS7PADDING");

diff --git a/java/lang/security/audit/crypto/use-of-rc4.yaml b/java/lang/security/audit/crypto/use-of-rc4.yaml
@@ -1,6 +1,10 @@
 rules:
 - id: use-of-rc4 
-  pattern: $CIPHER.getInstance("RC4") 
+  patterns:
+  - pattern: $CIPHER.getInstance("$ALG")
+  - metavariable-regex:
+      metavariable: $ALG
+      regex: (?i)^RC4$
   metadata:
     functional-categories:
       - 'crypto::search::symmetric-algorithm::javax.crypto'

diff --git a/java/lang/security/audit/crypto/use-of-sha1.java b/java/lang/security/audit/crypto/use-of-sha1.java
@@ -16,6 +16,11 @@ public byte[] bad2(String password) {
     return hashValue;
   }
 
+  public void bad3_lowercase() {
+    // ruleid: use-of-sha1
+    java.security.MessageDigest md = java.security.MessageDigest.getInstance("sha-1", "SUN");
+  }
+
   public void bad3() {
     // ruleid: use-of-sha1
     java.security.MessageDigest md = java.security.MessageDigest.getInstance("SHA1", "SUN");

diff --git a/java/lang/security/audit/crypto/use-of-sha1.yaml b/java/lang/security/audit/crypto/use-of-sha1.yaml
@@ -38,6 +38,6 @@ rules:
         java.security.MessageDigest.getInstance("$ALGO", ...);
     - metavariable-regex:
         metavariable: $ALGO
-        regex: (SHA1|SHA-1)
+        regex: (?i)^(SHA1|SHA-1)$
   - pattern: |
       $DU.getSha1Digest().digest(...)
diff --git a/java/lang/security/audit/crypto/weak-rsa.java b/java/lang/security/audit/crypto/weak-rsa.java
@@ -8,6 +8,12 @@ static void rsaWeak() {
     keyGen.initialize(512);
   }
 
+  static void rsaWeak_lowercase() {
+    // ruleid: use-of-weak-rsa-key
+    KeyPairGenerator keyGen = KeyPairGenerator.getInstance("rsa");
+    keyGen.initialize(512);
+  }
+
   static void rsaOK() {
     // ok: use-of-weak-rsa-key
     KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");