Skip to content

Use of string instead of byte[] #548

New issue
New issue
Open
Open
Use of string instead of byte[]#548
Assignees
varadh10
@akwick

Description

@akwick
akwick
opened on May 1, 2022

Summary

During an empirical study to understand the nature of cryptographic misuses in enterprise-driven projects on GitHub, we randomly inspected a few of the misuses. One of the misuses for which we could confirm as a true positive of the analysis, CogniCryptSAST, is in this project.

  • In the class com.tmobile.pacman.util.CommonUtils, l. 973 , a string is passed as a secret key that is considered insecure. In Java, strings are immutable and stay in memory until collected by Java's garbage collector. Thus, they are longer visible in memory for attackers than necessary and outside of the direct control of the developer. The suggested data types by the JCA are bytes.

Reproduce steps

Execute CogniCrypt_SAST to retrieve the misuse reported above.

Expected Results

I would except no true positive from CogniCrypt_SAST.

Actual Results

CogniCrypt_SAST reports misuses for the project.

Activity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions