Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pass key as string instead of byte-array / JCA misuse #1170

Open
akwick opened this issue Apr 27, 2022 · 0 comments
Open

Pass key as string instead of byte-array / JCA misuse #1170

akwick opened this issue Apr 27, 2022 · 0 comments

Comments

@akwick
Copy link

akwick commented Apr 27, 2022

I am reaching out to you as we conducted an empirical study to understand the nature of cryptographic misuses in enterprise-driven projects on GitHub. During our study, we randomly inspected a few of the misuses. One of the misuses for which we could confirm the finding of the analysis, CogniCryptSAST is within this project.

  • The method encrypt expects a string as secret. However, a string is considered as insecure to handle secrets. In Java, strings are immutable and stay in memory until collected by Java's garbage collector. Thus, they are longer visible in memory for attackers than necessary and outside of the direct control of the developer. The JCA documentation recommend this as well.

The report can be reproduced by running CogniCrypt_SAST on the project.

We hope that our assumption is correct and would be glad to get your thoughts on this issue.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@akwick