CodeAnt AI home pagelight logodark logo
  • Support
  • Dashboard
  • Dashboard
Documentation
API Reference
Start Here
  • What is CodeAnt?
  • Join Community
Setup
  • Github
  • Bitbucket
  • Gitlab
  • Azure Devops
Pull Request Review
  • Features
  • Customize Review
  • Quality Gates
  • Integrations
Scan center
  • Code Security
  • Code Quality
  • Cloud Security
  • Engineering Productivity
Integrations
  • Jira
  • Test Coverage
  • CI/CD
IDE
  • Setup
  • Review
  • Enhancements
Rule Reference
  • Compliance
  • Anti-Patterns
  • Code Governance
  • Infrastructure Security Database
  • Application Security Database
    • Apex
    • Bash
    • C
    • Clojure
    • Cpp
    • Csharp
    • Dockerfile
    • Elixir
    • Fingerprints
    • Generic
    • Go
    • Html
    • Java
      • Android
      • Aws-lambda
      • Castor
      • Java-jwt
      • Jax-rs
      • Jboss
      • Jdo
      • Jedis
      • Jjwt
      • Jsch
      • Kryo
      • Lang
        • Audit
        • Correctness
        • Security
        • Security
          • Audit
          • Audit
            • Active-debug-code-getstacktrace
            • Active-debug-code-printstacktrace
            • Crypto
            • Crypto
            • Formatted-sql-string-deepsemgrep
            • Saxreader-xmlreader-constructor
            • Sqli
            • Xml-custom-entityresolver
            • Xss
            • Xss
            • Xxe
          • Crypto
          • Net
          • Properties
          • Sql
          • System
          • Xxe
      • Micronaut
      • Mongo
      • Mongodb
      • Mysql
      • Okhttp
      • Rmi
      • Servlets
      • Spring
      • Thymeleaf
      • Xstream
    • Javascript
    • Json
    • Kotlin
    • Ocaml
    • Php
    • Problem-based-packs
    • Python
    • Ruby
    • Rust
    • Scala
    • Solidity
    • Swift
    • Terraform
    • Typescript
    • Yaml
Resources
  • Open Source
  • Blogs
Audit

Crypto

use-of-default-aes

Use of AES with no settings detected. By default, java.crypto.Cipher uses ECB mode. ECB doesn’t provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: java.crypto.Cipher.getInstance(“AES/CBC/PKCS7PADDING”). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.
Likelihood: MEDIUM
Confidence: HIGH
CWE:
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures

weak-random

Detected use of the functions Math.random() or java.util.Random(). These are both not cryptographically strong random number generators (RNGs). If you are using these RNGs to create passwords or secret tokens, use java.security.SecureRandom instead.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-330: Use of Insufficiently Random Values
OWASP:
- A02:2021 - Cryptographic Failures

gcm-detection

GCM detected, please check that IV/nonce is not reused, an Initialization Vector (IV) is a nonce used to randomize the encryption, so that even if multiple messages with identical plaintext are encrypted, the generated corresponding ciphertexts are different. Unlike the Key, the IV usually does not need to be secret, rather it is important that it is random and unique. Certain encryption schemes the IV is exchanged in public as part of the ciphertext. Reusing same Initialization Vector with the same Key to encrypt multiple plaintext blocks allows an attacker to compare the ciphertexts and then, with some assumptions on the content of the messages, to gain important information about the data being encrypted.
Likelihood: MEDIUM
Confidence: LOW
CWE:
- CWE-323: Reusing a Nonce, Key Pair in Encryption
OWASP:
- A02:2021 - Cryptographic Failures

use-of-blowfish

Use of Blowfish was detected. Blowfish uses a 64-bit block size that makes it vulnerable to birthday attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(“AES/CBC/PKCS7PADDING”). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.
Likelihood: MEDIUM
Confidence: HIGH
CWE:
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures

desede-is-deprecated

Triple DES (3DES or DESede) is considered deprecated. AES is the recommended cipher. Upgrade to use AES.
Likelihood: MEDIUM
Confidence: HIGH
CWE:
- CWE-326: Inadequate Encryption Strength
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures

unencrypted-socket

Detected use of a Java socket that is not encrypted. As a result, the traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by ‘SSLSocketFactory’ or ‘SSLServerSocketFactory’ instead.
Likelihood: MEDIUM
Confidence: HIGH
CWE:
- CWE-319: Cleartext Transmission of Sensitive Information
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures

des-is-deprecated

DES is considered deprecated. AES is the recommended cipher. Upgrade to use AES. See https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard for more information.
Likelihood: MEDIUM
Confidence: HIGH
CWE:
- CWE-326: Inadequate Encryption Strength
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures

use-of-rc4

Use of RC4 was detected. RC4 is vulnerable to several attacks, including stream cipher attacks and bit flipping attacks. Instead, use a strong, secure cipher: Cipher.getInstance(“AES/CBC/PKCS7PADDING”). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.
Likelihood: MEDIUM
Confidence: HIGH
CWE:
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures

ecb-cipher

Cipher in ECB mode is detected. ECB mode produces the same output for the same input each time which allows an attacker to intercept and replay the data. Further, ECB mode does not provide any integrity checking. See https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY.
Likelihood: MEDIUM
Confidence: HIGH
CWE:
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures

rsa-no-padding

Using RSA without OAEP mode weakens the encryption.
Likelihood: MEDIUM
Confidence: HIGH
CWE:
- CWE-326: Inadequate Encryption Strength
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures

no-static-initialization-vector

Initialization Vectors (IVs) for block ciphers should be randomly generated each time they are used. Using a static IV means the same plaintext encrypts to the same ciphertext every time, weakening the strength of the encryption.
Likelihood: MEDIUM
Confidence: HIGH
CWE:
- CWE-329: Generation of Predictable IV with CBC Mode
OWASP:
- A02:2021 - Cryptographic Failures

use-of-md5

Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead.
Likelihood: MEDIUM
Confidence: HIGH
CWE:
- CWE-328: Use of Weak Hash
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures

use-of-md5-digest-utils

Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead.
Likelihood: MEDIUM
Confidence: HIGH
CWE:
- CWE-328: Use of Weak Hash
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures

use-of-aes-ecb

Use of AES with ECB mode detected. ECB doesn’t provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: Cipher.getInstance(“AES/CBC/PKCS7PADDING”). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.
Likelihood: MEDIUM
Confidence: HIGH
CWE:
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures

gcm-nonce-reuse

GCM IV/nonce is reused: encryption can be totally useless
Likelihood: MEDIUM
Confidence: HIGH
CWE:
- CWE-323: Reusing a Nonce, Key Pair in Encryption
OWASP:
- A02:2021 - Cryptographic Failures

use-of-rc2

Use of RC2 was detected. RC2 is vulnerable to related-key attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(“AES/CBC/PKCS7PADDING”). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.
Likelihood: MEDIUM
Confidence: HIGH
CWE:
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures

no-null-cipher

NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(“AES/CBC/PKCS7PADDING”). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.
Likelihood: MEDIUM
Confidence: HIGH
CWE:
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures

use-of-weak-rsa-key

RSA keys should be at least 2048 bits based on NIST recommendation.
Likelihood: MEDIUM
Confidence: HIGH
CWE:
- CWE-326: Inadequate Encryption Strength
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures

use-of-sha1

Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications.
Likelihood: MEDIUM
Confidence: HIGH
CWE:
- CWE-328: Use of Weak Hash
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
Active debug code printstacktraceSsl
twitterlinkedin
Powered by Mintlify
Assistant
Responses are generated using AI and may contain mistakes.