language: ruby
name: ruby_rsa_weak_crypto
message: "Avoid using RSA for cryptographic operations; it is outdated and insecure."
category: security
severity: critical
pattern: >
  (scope_resolution
  scope: (scope_resolution
    scope: (constant) @openssl (#eq? @openssl "OpenSSL")
    name: (constant) @pkey (#eq? @pkey "PKey"))
  name: (constant) @rsa (#eq? @rsa "RSA")) @ruby_rsa_weak_crypto
exclude:
  - "test/**"
  - "*_test.rb"
  - "tests/**"
  - "__tests__/**"
description: |
  Issue:
  RSA is considered weak due to its reliance on small key sizes and vulnerability 
  to attacks.It is no longer recommended for cryptographic operations.

  Why is this a problem?
  - RSA with small key sizes (1024-bit) is vulnerable to brute-force attacks.
  - Poor randomness in RSA signatures can lead to private key leaks.
  - Modern security standards recommend stronger alternatives.

  Remediation:
  - Instead of RSA, use BCrypt for securely hashing passwords.
  - If encryption is needed, use AES-256-GCM.

  Example Fix:
  ruby
  require 'bcrypt'

  # Weak RSA (Avoid)
  require 'openssl'
  rsa = OpenSSL::PKey::RSA.new(1024)  # Weak & insecure

  # Secure BCrypt Alternative (for password hashing)
  password = "SecurePassword123"
  hashed_password = BCrypt::Password.create(password)
  puts "BCrypt Hash: #{hashed_password}"

  # Secure AES Alternative (for encryption)
  require 'openssl'
  cipher = OpenSSL::Cipher.new('aes-256-gcm')
  cipher.encrypt
  key = cipher.random_key
  iv = cipher.random_iv
  encrypted = cipher.update("Sensitive Data") + cipher.final
  puts "AES Encrypted Data: #{encrypted}"