CodeAnt AI home pagelight logodark logo
  • Dashboard
  • Dashboard
  • Documentation
  • Demo Call with CEO
  • Blog
  • Slack
    • Get Started
    • CodeAnt AI
    • Setup
    • Control Center
    • Pull Request Review
    • IDE
    • Compliance
    • Anti-Patterns
    • Code Governance
    • Infrastructure Security Database
    • Application Security Database
      • Apex
      • Bash
      • C
      • Clojure
      • Cpp
      • Csharp
      • Dockerfile
      • Elixir
      • Fingerprints
      • Generic
      • Go
      • Html
      • Java
        • Android
        • Aws-lambda
        • Castor
        • Java-jwt
        • Jax-rs
        • Jboss
        • Jdo
        • Jedis
        • Jjwt
        • Jsch
        • Kryo
        • Lang
          • Audit
          • Correctness
          • Security
          • Security
            • Audit
            • Audit
              • Active-debug-code-getstacktrace
              • Active-debug-code-printstacktrace
              • Crypto
              • Crypto
              • Formatted-sql-string-deepsemgrep
              • Saxreader-xmlreader-constructor
              • Sqli
              • Xml-custom-entityresolver
              • Xss
              • Xss
              • Xxe
            • Crypto
            • Net
            • Properties
            • Sql
            • System
            • Xxe
        • Micronaut
        • Mongo
        • Mongodb
        • Mysql
        • Okhttp
        • Rmi
        • Servlets
        • Spring
        • Thymeleaf
        • Xstream
      • Javascript
      • Json
      • Kotlin
      • Ocaml
      • Php
      • Problem-based-packs
      • Python
      • Ruby
      • Rust
      • Scala
      • Solidity
      • Swift
      • Terraform
      • Typescript
      • Yaml
    Audit

    Crypto

    Use of AES with no settings detected. By default, java.crypto.Cipher uses ECB mode. ECB doesn’t provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: java.crypto.Cipher.getInstance(“AES/CBC/PKCS7PADDING”). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.
    Likelihood: MEDIUM
    Confidence: HIGH
    CWE:
    - CWE-327: Use of a Broken or Risky Cryptographic Algorithm
    OWASP:
    - A03:2017 - Sensitive Data Exposure
    - A02:2021 - Cryptographic Failures

    Detected use of the functions Math.random() or java.util.Random(). These are both not cryptographically strong random number generators (RNGs). If you are using these RNGs to create passwords or secret tokens, use java.security.SecureRandom instead.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-330: Use of Insufficiently Random Values
    OWASP:
    - A02:2021 - Cryptographic Failures

    GCM detected, please check that IV/nonce is not reused, an Initialization Vector (IV) is a nonce used to randomize the encryption, so that even if multiple messages with identical plaintext are encrypted, the generated corresponding ciphertexts are different. Unlike the Key, the IV usually does not need to be secret, rather it is important that it is random and unique. Certain encryption schemes the IV is exchanged in public as part of the ciphertext. Reusing same Initialization Vector with the same Key to encrypt multiple plaintext blocks allows an attacker to compare the ciphertexts and then, with some assumptions on the content of the messages, to gain important information about the data being encrypted.
    Likelihood: MEDIUM
    Confidence: LOW
    CWE:
    - CWE-323: Reusing a Nonce, Key Pair in Encryption
    OWASP:
    - A02:2021 - Cryptographic Failures

    Use of Blowfish was detected. Blowfish uses a 64-bit block size that makes it vulnerable to birthday attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(“AES/CBC/PKCS7PADDING”). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.
    Likelihood: MEDIUM
    Confidence: HIGH
    CWE:
    - CWE-327: Use of a Broken or Risky Cryptographic Algorithm
    OWASP:
    - A03:2017 - Sensitive Data Exposure
    - A02:2021 - Cryptographic Failures

    Triple DES (3DES or DESede) is considered deprecated. AES is the recommended cipher. Upgrade to use AES.
    Likelihood: MEDIUM
    Confidence: HIGH
    CWE:
    - CWE-326: Inadequate Encryption Strength
    OWASP:
    - A03:2017 - Sensitive Data Exposure
    - A02:2021 - Cryptographic Failures

    Detected use of a Java socket that is not encrypted. As a result, the traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by ‘SSLSocketFactory’ or ‘SSLServerSocketFactory’ instead.
    Likelihood: MEDIUM
    Confidence: HIGH
    CWE:
    - CWE-319: Cleartext Transmission of Sensitive Information
    OWASP:
    - A03:2017 - Sensitive Data Exposure
    - A02:2021 - Cryptographic Failures

    DES is considered deprecated. AES is the recommended cipher. Upgrade to use AES. See https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard for more information.
    Likelihood: MEDIUM
    Confidence: HIGH
    CWE:
    - CWE-326: Inadequate Encryption Strength
    OWASP:
    - A03:2017 - Sensitive Data Exposure
    - A02:2021 - Cryptographic Failures

    Use of RC4 was detected. RC4 is vulnerable to several attacks, including stream cipher attacks and bit flipping attacks. Instead, use a strong, secure cipher: Cipher.getInstance(“AES/CBC/PKCS7PADDING”). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.
    Likelihood: MEDIUM
    Confidence: HIGH
    CWE:
    - CWE-327: Use of a Broken or Risky Cryptographic Algorithm
    OWASP:
    - A03:2017 - Sensitive Data Exposure
    - A02:2021 - Cryptographic Failures

    Cipher in ECB mode is detected. ECB mode produces the same output for the same input each time which allows an attacker to intercept and replay the data. Further, ECB mode does not provide any integrity checking. See https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY.
    Likelihood: MEDIUM
    Confidence: HIGH
    CWE:
    - CWE-327: Use of a Broken or Risky Cryptographic Algorithm
    OWASP:
    - A03:2017 - Sensitive Data Exposure
    - A02:2021 - Cryptographic Failures

    Using RSA without OAEP mode weakens the encryption.
    Likelihood: MEDIUM
    Confidence: HIGH
    CWE:
    - CWE-326: Inadequate Encryption Strength
    OWASP:
    - A03:2017 - Sensitive Data Exposure
    - A02:2021 - Cryptographic Failures

    Initialization Vectors (IVs) for block ciphers should be randomly generated each time they are used. Using a static IV means the same plaintext encrypts to the same ciphertext every time, weakening the strength of the encryption.
    Likelihood: MEDIUM
    Confidence: HIGH
    CWE:
    - CWE-329: Generation of Predictable IV with CBC Mode
    OWASP:
    - A02:2021 - Cryptographic Failures

    Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead.
    Likelihood: MEDIUM
    Confidence: HIGH
    CWE:
    - CWE-328: Use of Weak Hash
    OWASP:
    - A03:2017 - Sensitive Data Exposure
    - A02:2021 - Cryptographic Failures

    Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead.
    Likelihood: MEDIUM
    Confidence: HIGH
    CWE:
    - CWE-328: Use of Weak Hash
    OWASP:
    - A03:2017 - Sensitive Data Exposure
    - A02:2021 - Cryptographic Failures

    Use of AES with ECB mode detected. ECB doesn’t provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: Cipher.getInstance(“AES/CBC/PKCS7PADDING”). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.
    Likelihood: MEDIUM
    Confidence: HIGH
    CWE:
    - CWE-327: Use of a Broken or Risky Cryptographic Algorithm
    OWASP:
    - A03:2017 - Sensitive Data Exposure
    - A02:2021 - Cryptographic Failures

    GCM IV/nonce is reused: encryption can be totally useless
    Likelihood: MEDIUM
    Confidence: HIGH
    CWE:
    - CWE-323: Reusing a Nonce, Key Pair in Encryption
    OWASP:
    - A02:2021 - Cryptographic Failures

    Use of RC2 was detected. RC2 is vulnerable to related-key attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(“AES/CBC/PKCS7PADDING”). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.
    Likelihood: MEDIUM
    Confidence: HIGH
    CWE:
    - CWE-327: Use of a Broken or Risky Cryptographic Algorithm
    OWASP:
    - A03:2017 - Sensitive Data Exposure
    - A02:2021 - Cryptographic Failures

    NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(“AES/CBC/PKCS7PADDING”). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.
    Likelihood: MEDIUM
    Confidence: HIGH
    CWE:
    - CWE-327: Use of a Broken or Risky Cryptographic Algorithm
    OWASP:
    - A03:2017 - Sensitive Data Exposure
    - A02:2021 - Cryptographic Failures

    RSA keys should be at least 2048 bits based on NIST recommendation.
    Likelihood: MEDIUM
    Confidence: HIGH
    CWE:
    - CWE-326: Inadequate Encryption Strength
    OWASP:
    - A03:2017 - Sensitive Data Exposure
    - A02:2021 - Cryptographic Failures

    Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications.
    Likelihood: MEDIUM
    Confidence: HIGH
    CWE:
    - CWE-328: Use of Weak Hash
    OWASP:
    - A03:2017 - Sensitive Data Exposure
    - A02:2021 - Cryptographic Failures

    Active debug code printstacktraceSsl
    twitterlinkedin
    Powered by Mintlify