Here’s another one of these infuriating cases where the tool can’t make up its mind.
I get a “critical” security warning on this:
Cipher c = Cipher.getInstance("AES/CBC/PKCS5Padding");
That sounds legit to me.
But then, I find another line in a class right next to this one, with no warning at all:
Cipher c = Cipher.getInstance("AES/CBC/PKCS5Padding", "BC");
Both are using the same algorithm which is surely insecure. Questions:
- Is this algorithm bad in some situations and not in others? i.e., is Sonar trying to detect how we’re using the cipher after getting it? Or,
- Is this algorithm only bad if the provider is not Java’s default one? i.e., is it something about the way the algorithm is implemented in Java which is bad, and alternative providers might have an implementation which is not vulnerable? Or,
- Is Sonar erroneously only complaining about one overload of the method? i.e., is one of the two a false positive, or a false negative?