Default value used for property retrieval may cause an issue and should be handled.
IMPORTANT NOTE: The current implementation only look at string provided as first argument of javax.crypto.Cipher.getInstance(). The rule will be modified to handle string retrieved by properties, but it does not fix the real issue. Indeed, a complete solution would require to be able to evaluate the expression provided as argument in order to say if it corresponds to one of the forbidden algorithms. Such evaluation can only be achieved using CFG and by exploring all the possible evaluation path, which is still a work in progress.