Encrypting data is security-sensitive. It has led in the past to the following vulnerabilities:

Proper encryption requires both the encryption algorithm and the key to be strong. Obviously the private key needs to remain secret and be renewed regularly. However these are not the only means to defeat or weaken an encryption.

This rule flags function calls that initiate encryption/decryption.

Ask Yourself Whether

You are at risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

Sensitive Code Example

// === javax.crypto ===
import javax.crypto.Cipher;
Cipher c = Cipher.getInstance(...);  // Sensitive

// === apache.commons.crypto ===
import java.util.Properties;
import org.apache.commons.crypto.utils.Utils;
import org.apache.commons.crypto.cipher.CryptoCipherFactory;
import org.apache.commons.crypto.cipher.CryptoCipherFactory.CipherProvider;

Properties properties = new Properties();
properties.setProperty(CryptoCipherFactory.CLASSES_KEY, CipherProvider.OPENSSL.getClassName());
final String transform = "AES/CBC/PKCS5Padding";
Utils.getCipherInstance(transform, properties);  // Sensitive

See

Deprecated

This rule is deprecated; use {rule:java:S4426}, {rule:java:S5542}, {rule:java:S5547} instead.