Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-2258

"javax.crypto.NullCipher" should not be used for anything other than testing

    Details

    • Message:
      Remove this use of the "NullCipher" class.
    • Default Severity:
      Blocker
    • Impact:
      High
    • Likelihood:
      High
    • Default Quality Profiles:
      Sonar way
    • Covered Languages:
      Java
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      15min
    • Analysis Scope:
      Main Sources
    • Common Rule:
      Yes
    • CWE:
      CWE-327
    • OWASP:
      A6
    • SANS Top 25:
      Porous Defenses
    • FindSecBugs:
      NULL_CIPHER

      Description

      By contract, the NullCipher class provides an "identity cipher" – one that does not transform or encrypt the plaintext in any way. As a consequence, the ciphertext is identical to the plaintext. So this class should be used for testing, and never in production code.

      Noncompliant Code Example

      NullCipher nc = new NullCipher();
      

      See

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                freddy.mallet Freddy Mallet (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated: