github-actions[bot]
commented
4 months ago 
Scan Summary:
PIPELINE_SCAN_VERSION: 24.4.0-0
DEV-STAGE: DEVELOPMENT
PROJECT-NAME: alfresco-transform-core
SCAN_ID: dc7d0e3d-d112-4fb6-80f4-9bd5980dc307
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 119145 bytes
====================
Analysis Successful.
====================
==========================
Found 5 Scannable modules.
==========================
JS files within alfresco-transform-core-aio-5.1.2-A1-SNAPSHOT-javadoc.jar
JS files within jwarc-0.29.0.jar
engines/aio/target/alfresco-transform-core-aio-5.1.2-A1-SNAPSHOT.jar
JS files within alfresco-base-t-engine-5.1.2-A1-SNAPSHOT-javadoc.jar
JS files within alfresco-transform-model-5.1.2-A1-SNAPSHOT-javadoc.jar
===================
Analyzed 5 modules.
===================
JS files within alfresco-transform-core-aio-5.1.2-A1-SNAPSHOT-javadoc.jar
JS files within jwarc-0.29.0.jar
engines/aio/target/alfresco-transform-core-aio-5.1.2-A1-SNAPSHOT.jar
JS files within alfresco-base-t-engine-5.1.2-A1-SNAPSHOT-javadoc.jar
JS files within alfresco-transform-model-5.1.2-A1-SNAPSHOT-javadoc.jar
===================
Analyzed 60 issues.
===================details
-----------------------------------
Found 40 issues of Medium severity.
-----------------------------------
CWE-327: Use of a Broken or Risky Cryptographic Algorithm: aj/org/objectweb/asm/commons/SerialVersionUIDAdder.java:426
Details: This function uses the SHA() function, which uses a hash algorithm that is considered weak. In recent years, researchers have demonstrated ways to breach many uses of previously-thought-safe hash functions such as MD5. Consider using a stronger algorithm in order to prevent attackers from being able to manipulate hash results. If this algorithm is being used to hash passwords, then consider using a strong computationally-hard algorithm such as PBKDF2 or bcrypt instead of a plain hashing algorithm. References: CWE
https://downloads.veracode.com/securityscan/cwe/v4/java/327.html
CWE-327: Use of a Broken or Risky Cryptographic Algorithm: org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/SignatureSpi.java:1
Details: This cryptographic object is initialized with cipher 'Dilithium', which uses a known risky cryptographic algorithm. While it was once considered a strong algorithm, it is now regarded as insufficient in light of computational advances. Use a stronger cryptographic scheme by consulting latest cryptographic literature. For e.g. use AES instead of Triple-DES block cipher algorithm, use authenticated encryption modes such as GCM, use ChaCha20 or RSA instead of RC family of stream ciphers. For storing passwords use one of the well vetted algorithms such as pbkdf2, bcrypt, scrypt or Argon2. References: CWE
NIST SP 800-131, Table 1
https://downloads.veracode.com/securityscan/cwe/v4/java/327.html
CWE-327: Use of a Broken or Risky Cryptographic Algorithm: org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/SignatureSpi.java:1
Details: This cryptographic object is initialized with cipher 'Falcon', which uses a known risky cryptographic algorithm. While it was once considered a strong algorithm, it is now regarded as insufficient in light of computational advances. Use a stronger cryptographic scheme by consulting latest cryptographic literature. For e.g. use AES instead of Triple-DES block cipher algorithm, use authenticated encryption modes such as GCM, use ChaCha20 or RSA instead of RC family of stream ciphers. For storing passwords use one of the well vetted algorithms such as pbkdf2, bcrypt, scrypt or Argon2. References: CWE
NIST SP 800-131, Table 1
https://downloads.veracode.com/securityscan/cwe/v4/java/327.html
CWE-327: Use of a Broken or Risky Cryptographic Algorithm: org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/SignatureSpi.java:1
Details: This cryptographic object is initialized with cipher 'Dilithium', which uses a known risky cryptographic algorithm. While it was once considered a strong algorithm, it is now regarded as insufficient in light of computational advances. Use a stronger cryptographic scheme by consulting latest cryptographic literature. For e.g. use AES instead of Triple-DES block cipher algorithm, use authenticated encryption modes such as GCM, use ChaCha20 or RSA instead of RC family of stream ciphers. For storing passwords use one of the well vetted algorithms such as pbkdf2, bcrypt, scrypt or Argon2. References: CWE
NIST SP 800-131, Table 1
https://downloads.veracode.com/securityscan/cwe/v4/java/327.html
CWE-327: Use of a Broken or Risky Cryptographic Algorithm: org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/SignatureSpi.java:1
Details: This cryptographic object is initialized with cipher 'Ed25519', which uses a known risky cryptographic algorithm. While it was once considered a strong algorithm, it is now regarded as insufficient in light of computational advances. Use a stronger cryptographic scheme by consulting latest cryptographic literature. For e.g. use AES instead of Triple-DES block cipher algorithm, use authenticated encryption modes such as GCM, use ChaCha20 or RSA instead of RC family of stream ciphers. For storing passwords use one of the well vetted algorithms such as pbkdf2, bcrypt, scrypt or Argon2. References: CWE
NIST SP 800-131, Table 1
https://downloads.veracode.com/securityscan/cwe/v4/java/327.html
CWE-327: Use of a Broken or Risky Cryptographic Algorithm: org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/SignatureSpi.java:1
Details: This cryptographic object is initialized with cipher 'Falcon', which uses a known risky cryptographic algorithm. While it was once considered a strong algorithm, it is now regarded as insufficient in light of computational advances. Use a stronger cryptographic scheme by consulting latest cryptographic literature. For e.g. use AES instead of Triple-DES block cipher algorithm, use authenticated encryption modes such as GCM, use ChaCha20 or RSA instead of RC family of stream ciphers. For storing passwords use one of the well vetted algorithms such as pbkdf2, bcrypt, scrypt or Argon2. References: CWE
NIST SP 800-131, Table 1
https://downloads.veracode.com/securityscan/cwe/v4/java/327.html
CWE-327: Use of a Broken or Risky Cryptographic Algorithm: org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/SignatureSpi.java:1
Details: This cryptographic object is initialized with cipher 'Dilithium', which uses a known risky cryptographic algorithm. While it was once considered a strong algorithm, it is now regarded as insufficient in light of computational advances. Use a stronger cryptographic scheme by consulting latest cryptographic literature. For e.g. use AES instead of Triple-DES block cipher algorithm, use authenticated encryption modes such as GCM, use ChaCha20 or RSA instead of RC family of stream ciphers. For storing passwords use one of the well vetted algorithms such as pbkdf2, bcrypt, scrypt or Argon2. References: CWE
NIST SP 800-131, Table 1
https://downloads.veracode.com/securityscan/cwe/v4/java/327.html
CWE-327: Use of a Broken or Risky Cryptographic Algorithm: org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/SignatureSpi.java:1
Details: This cryptographic object is initialized with cipher 'Ed448', which uses a known risky cryptographic algorithm. While it was once considered a strong algorithm, it is now regarded as insufficient in light of computational advances. Use a stronger cryptographic scheme by consulting latest cryptographic literature. For e.g. use AES instead of Triple-DES block cipher algorithm, use authenticated encryption modes such as GCM, use ChaCha20 or RSA instead of RC family of stream ciphers. For storing passwords use one of the well vetted algorithms such as pbkdf2, bcrypt, scrypt or Argon2. References: CWE
NIST SP 800-131, Table 1
https://downloads.veracode.com/securityscan/cwe/v4/java/327.html
CWE-327: Use of a Broken or Risky Cryptographic Algorithm: org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/SignatureSpi.java:1
Details: This cryptographic object is initialized with cipher 'Dilithium', which uses a known risky cryptographic algorithm. While it was once considered a strong algorithm, it is now regarded as insufficient in light of computational advances. Use a stronger cryptographic scheme by consulting latest cryptographic literature. For e.g. use AES instead of Triple-DES block cipher algorithm, use authenticated encryption modes such as GCM, use ChaCha20 or RSA instead of RC family of stream ciphers. For storing passwords use one of the well vetted algorithms such as pbkdf2, bcrypt, scrypt or Argon2. References: CWE
NIST SP 800-131, Table 1
https://downloads.veracode.com/securityscan/cwe/v4/java/327.html
CWE-327: Use of a Broken or Risky Cryptographic Algorithm: org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/SignatureSpi.java:1
Details: This cryptographic object is initialized with cipher 'Dilithium', which uses a known risky cryptographic algorithm. While it was once considered a strong algorithm, it is now regarded as insufficient in light of computational advances. Use a stronger cryptographic scheme by consulting latest cryptographic literature. For e.g. use AES instead of Triple-DES block cipher algorithm, use authenticated encryption modes such as GCM, use ChaCha20 or RSA instead of RC family of stream ciphers. For storing passwords use one of the well vetted algorithms such as pbkdf2, bcrypt, scrypt or Argon2. References: CWE
NIST SP 800-131, Table 1
https://downloads.veracode.com/securityscan/cwe/v4/java/327.html
CWE-327: Use of a Broken or Risky Cryptographic Algorithm: org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/SignatureSpi.java:1
Details: This cryptographic object is initialized with cipher 'Ed25519', which uses a known risky cryptographic algorithm. While it was once considered a strong algorithm, it is now regarded as insufficient in light of computational advances. Use a stronger cryptographic scheme by consulting latest cryptographic literature. For e.g. use AES instead of Triple-DES block cipher algorithm, use authenticated encryption modes such as GCM, use ChaCha20 or RSA instead of RC family of stream ciphers. For storing passwords use one of the well vetted algorithms such as pbkdf2, bcrypt, scrypt or Argon2. References: CWE
NIST SP 800-131, Table 1
https://downloads.veracode.com/securityscan/cwe/v4/java/327.html
CWE-327: Use of a Broken or Risky Cryptographic Algorithm: org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/SignatureSpi.java:1
Details: This cryptographic object is initialized with cipher 'Dilithium', which uses a known risky cryptographic algorithm. While it was once considered a strong algorithm, it is now regarded as insufficient in light of computational advances. Use a stronger cryptographic scheme by consulting latest cryptographic literature. For e.g. use AES instead of Triple-DES block cipher algorithm, use authenticated encryption modes such as GCM, use ChaCha20 or RSA instead of RC family of stream ciphers. For storing passwords use one of the well vetted algorithms such as pbkdf2, bcrypt, scrypt or Argon2. References: CWE
NIST SP 800-131, Table 1
https://downloads.veracode.com/securityscan/cwe/v4/java/327.html
CWE-327: Use of a Broken or Risky Cryptographic Algorithm: org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/SignatureSpi.java:1
Details: This cryptographic object is initialized with cipher 'Dilithium', which uses a known risky cryptographic algorithm. While it was once considered a strong algorithm, it is now regarded as insufficient in light of computational advances. Use a stronger cryptographic scheme by consulting latest cryptographic literature. For e.g. use AES instead of Triple-DES block cipher algorithm, use authenticated encryption modes such as GCM, use ChaCha20 or RSA instead of RC family of stream ciphers. For storing passwords use one of the well vetted algorithms such as pbkdf2, bcrypt, scrypt or Argon2. References: CWE
NIST SP 800-131, Table 1
https://downloads.veracode.com/securityscan/cwe/v4/java/327.html
CWE-327: Use of a Broken or Risky Cryptographic Algorithm: org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/SignatureSpi.java:1
Details: This cryptographic object is initialized with cipher 'Dilithium', which uses a known risky cryptographic algorithm. While it was once considered a strong algorithm, it is now regarded as insufficient in light of computational advances. Use a stronger cryptographic scheme by consulting latest cryptographic literature. For e.g. use AES instead of Triple-DES block cipher algorithm, use authenticated encryption modes such as GCM, use ChaCha20 or RSA instead of RC family of stream ciphers. For storing passwords use one of the well vetted algorithms such as pbkdf2, bcrypt, scrypt or Argon2. References: CWE
NIST SP 800-131, Table 1
https://downloads.veracode.com/securityscan/cwe/v4/java/327.html
CWE-327: Use of a Broken or Risky Cryptographic Algorithm: org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/KeyPairGeneratorSpi.java:1
Details: This function uses the Dilithium() function, which uses a hash algorithm that is considered weak. In recent years, researchers have demonstrated ways to breach many uses of previously-thought-safe hash functions such as MD5. Consider using a stronger algorithm in order to prevent attackers from being able to manipulate hash results. If this algorithm is being used to hash passwords, then consider using a strong computationally-hard algorithm such as PBKDF2 or bcrypt instead of a plain hashing algorithm. References: CWE
https://downloads.veracode.com/securityscan/cwe/v4/java/327.html
CWE-327: Use of a Broken or Risky Cryptographic Algorithm: org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/KeyPairGeneratorSpi.java:1
Details: This function uses the P-384() function, which uses a hash algorithm that is considered weak. In recent years, researchers have demonstrated ways to breach many uses of previously-thought-safe hash functions such as MD5. Consider using a stronger algorithm in order to prevent attackers from being able to manipulate hash results. If this algorithm is being used to hash passwords, then consider using a strong computationally-hard algorithm such as PBKDF2 or bcrypt instead of a plain hashing algorithm. References: CWE
https://downloads.veracode.com/securityscan/cwe/v4/java/327.html
CWE-327: Use of a Broken or Risky Cryptographic Algorithm: org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/KeyPairGeneratorSpi.java:1
Details: This function uses the Dilithium() function, which uses a hash algorithm that is considered weak. In recent years, researchers have demonstrated ways to breach many uses of previously-thought-safe hash functions such as MD5. Consider using a stronger algorithm in order to prevent attackers from being able to manipulate hash results. If this algorithm is being used to hash passwords, then consider using a strong computationally-hard algorithm such as PBKDF2 or bcrypt instead of a plain hashing algorithm. References: CWE
https://downloads.veracode.com/securityscan/cwe/v4/java/327.html
CWE-327: Use of a Broken or Risky Cryptographic Algorithm: org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/KeyPairGeneratorSpi.java:1
Details: This function uses the Dilithium() function, which uses a hash algorithm that is considered weak. In recent years, researchers have demonstrated ways to breach many uses of previously-thought-safe hash functions such as MD5. Consider using a stronger algorithm in order to prevent attackers from being able to manipulate hash results. If this algorithm is being used to hash passwords, then consider using a strong computationally-hard algorithm such as PBKDF2 or bcrypt instead of a plain hashing algorithm. References: CWE
https://downloads.veracode.com/securityscan/cwe/v4/java/327.html
CWE-327: Use of a Broken or Risky Cryptographic Algorithm: org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/KeyPairGeneratorSpi.java:1
Details: This function uses the Dilithium() function, which uses a hash algorithm that is considered weak. In recent years, researchers have demonstrated ways to breach many uses of previously-thought-safe hash functions such as MD5. Consider using a stronger algorithm in order to prevent attackers from being able to manipulate hash results. If this algorithm is being used to hash passwords, then consider using a strong computationally-hard algorithm such as PBKDF2 or bcrypt instead of a plain hashing algorithm. References: CWE
https://downloads.veracode.com/securityscan/cwe/v4/java/327.html
CWE-327: Use of a Broken or Risky Cryptographic Algorithm: org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/KeyPairGeneratorSpi.java:1
Details: This function uses the Dilithium() function, which uses a hash algorithm that is considered weak. In recent years, researchers have demonstrated ways to breach many uses of previously-thought-safe hash functions such as MD5. Consider using a stronger algorithm in order to prevent attackers from being able to manipulate hash results. If this algorithm is being used to hash passwords, then consider using a strong computationally-hard algorithm such as PBKDF2 or bcrypt instead of a plain hashing algorithm. References: CWE
https://downloads.veracode.com/securityscan/cwe/v4/java/327.html
CWE-327: Use of a Broken or Risky Cryptographic Algorithm: org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/KeyPairGeneratorSpi.java:1
Details: This function uses the Dilithium() function, which uses a hash algorithm that is considered weak. In recent years, researchers have demonstrated ways to breach many uses of previously-thought-safe hash functions such as MD5. Consider using a stronger algorithm in order to prevent attackers from being able to manipulate hash results. If this algorithm is being used to hash passwords, then consider using a strong computationally-hard algorithm such as PBKDF2 or bcrypt instead of a plain hashing algorithm. References: CWE
https://downloads.veracode.com/securityscan/cwe/v4/java/327.html
CWE-327: Use of a Broken or Risky Cryptographic Algorithm: org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/KeyPairGeneratorSpi.java:1
Details: This function uses the Dilithium() function, which uses a hash algorithm that is considered weak. In recent years, researchers have demonstrated ways to breach many uses of previously-thought-safe hash functions such as MD5. Consider using a stronger algorithm in order to prevent attackers from being able to manipulate hash results. If this algorithm is being used to hash passwords, then consider using a strong computationally-hard algorithm such as PBKDF2 or bcrypt instead of a plain hashing algorithm. References: CWE
https://downloads.veracode.com/securityscan/cwe/v4/java/327.html
CWE-327: Use of a Broken or Risky Cryptographic Algorithm: org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/KeyPairGeneratorSpi.java:1
Details: This function uses the brainpoolP384r1() function, which uses a hash algorithm that is considered weak. In recent years, researchers have demonstrated ways to breach many uses of previously-thought-safe hash functions such as MD5. Consider using a stronger algorithm in order to prevent attackers from being able to manipulate hash results. If this algorithm is being used to hash passwords, then consider using a strong computationally-hard algorithm such as PBKDF2 or bcrypt instead of a plain hashing algorithm. References: CWE
https://downloads.veracode.com/securityscan/cwe/v4/java/327.html
CWE-327: Use of a Broken or Risky Cryptographic Algorithm: org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/KeyPairGeneratorSpi.java:1
Details: This function uses the Falcon() function, which uses a hash algorithm that is considered weak. In recent years, researchers have demonstrated ways to breach many uses of previously-thought-safe hash functions such as MD5. Consider using a stronger algorithm in order to prevent attackers from being able to manipulate hash results. If this algorithm is being used to hash passwords, then consider using a strong computationally-hard algorithm such as PBKDF2 or bcrypt instead of a plain hashing algorithm. References: CWE
https://downloads.veracode.com/securityscan/cwe/v4/java/327.html
CWE-327: Use of a Broken or Risky Cryptographic Algorithm: org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/KeyPairGeneratorSpi.java:1
Details: This function uses the Falcon() function, which uses a hash algorithm that is considered weak. In recent years, researchers have demonstrated ways to breach many uses of previously-thought-safe hash functions such as MD5. Consider using a stronger algorithm in order to prevent attackers from being able to manipulate hash results. If this algorithm is being used to hash passwords, then consider using a strong computationally-hard algorithm such as PBKDF2 or bcrypt instead of a plain hashing algorithm. References: CWE
https://downloads.veracode.com/securityscan/cwe/v4/java/327.html
CWE-327: Use of a Broken or Risky Cryptographic Algorithm: org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/KeyPairGeneratorSpi.java:1
Details: This function uses the Dilithium() function, which uses a hash algorithm that is considered weak. In recent years, researchers have demonstrated ways to breach many uses of previously-thought-safe hash functions such as MD5. Consider using a stronger algorithm in order to prevent attackers from being able to manipulate hash results. If this algorithm is being used to hash passwords, then consider using a strong computationally-hard algorithm such as PBKDF2 or bcrypt instead of a plain hashing algorithm. References: CWE
https://downloads.veracode.com/securityscan/cwe/v4/java/327.html
CWE-327: Use of a Broken or Risky Cryptographic Algorithm: org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/KeyPairGeneratorSpi.java:1
Details: This function uses the Falcon() function, which uses a hash algorithm that is considered weak. In recent years, researchers have demonstrated ways to breach many uses of previously-thought-safe hash functions such as MD5. Consider using a stronger algorithm in order to prevent attackers from being able to manipulate hash results. If this algorithm is being used to hash passwords, then consider using a strong computationally-hard algorithm such as PBKDF2 or bcrypt instead of a plain hashing algorithm. References: CWE
https://downloads.veracode.com/securityscan/cwe/v4/java/327.html
CWE-327: Use of a Broken or Risky Cryptographic Algorithm: org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/KeyPairGeneratorSpi.java:1
Details: This function uses the Dilithium() function, which uses a hash algorithm that is considered weak. In recent years, researchers have demonstrated ways to breach many uses of previously-thought-safe hash functions such as MD5. Consider using a stronger algorithm in order to prevent attackers from being able to manipulate hash results. If this algorithm is being used to hash passwords, then consider using a strong computationally-hard algorithm such as PBKDF2 or bcrypt instead of a plain hashing algorithm. References: CWE
https://downloads.veracode.com/securityscan/cwe/v4/java/327.html
CWE-327: Use of a Broken or Risky Cryptographic Algorithm: org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/KeyPairGeneratorSpi.java:1
Details: This function uses the P-256() function, which uses a hash algorithm that is considered weak. In recent years, researchers have demonstrated ways to breach many uses of previously-thought-safe hash functions such as MD5. Consider using a stronger algorithm in order to prevent attackers from being able to manipulate hash results. If this algorithm is being used to hash passwords, then consider using a strong computationally-hard algorithm such as PBKDF2 or bcrypt instead of a plain hashing algorithm. References: CWE
https://downloads.veracode.com/securityscan/cwe/v4/java/327.html
CWE-327: Use of a Broken or Risky Cryptographic Algorithm: org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/KeyPairGeneratorSpi.java:1
Details: This function uses the P-256() function, which uses a hash algorithm that is considered weak. In recent years, researchers have demonstrated ways to breach many uses of previously-thought-safe hash functions such as MD5. Consider using a stronger algorithm in order to prevent attackers from being able to manipulate hash results. If this algorithm is being used to hash passwords, then consider using a strong computationally-hard algorithm such as PBKDF2 or bcrypt instead of a plain hashing algorithm. References: CWE
https://downloads.veracode.com/securityscan/cwe/v4/java/327.html
CWE-327: Use of a Broken or Risky Cryptographic Algorithm: org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/KeyPairGeneratorSpi.java:1
Details: This function uses the brainpoolP256r1() function, which uses a hash algorithm that is considered weak. In recent years, researchers have demonstrated ways to breach many uses of previously-thought-safe hash functions such as MD5. Consider using a stronger algorithm in order to prevent attackers from being able to manipulate hash results. If this algorithm is being used to hash passwords, then consider using a strong computationally-hard algorithm such as PBKDF2 or bcrypt instead of a plain hashing algorithm. References: CWE
https://downloads.veracode.com/securityscan/cwe/v4/java/327.html
CWE-327: Use of a Broken or Risky Cryptographic Algorithm: org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/KeyPairGeneratorSpi.java:1
Details: This function uses the Dilithium() function, which uses a hash algorithm that is considered weak. In recent years, researchers have demonstrated ways to breach many uses of previously-thought-safe hash functions such as MD5. Consider using a stronger algorithm in order to prevent attackers from being able to manipulate hash results. If this algorithm is being used to hash passwords, then consider using a strong computationally-hard algorithm such as PBKDF2 or bcrypt instead of a plain hashing algorithm. References: CWE
https://downloads.veracode.com/securityscan/cwe/v4/java/327.html
CWE-327: Use of a Broken or Risky Cryptographic Algorithm: org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/KeyPairGeneratorSpi.java:1
Details: This function uses the Dilithium() function, which uses a hash algorithm that is considered weak. In recent years, researchers have demonstrated ways to breach many uses of previously-thought-safe hash functions such as MD5. Consider using a stronger algorithm in order to prevent attackers from being able to manipulate hash results. If this algorithm is being used to hash passwords, then consider using a strong computationally-hard algorithm such as PBKDF2 or bcrypt instead of a plain hashing algorithm. References: CWE
https://downloads.veracode.com/securityscan/cwe/v4/java/327.html
CWE-327: Use of a Broken or Risky Cryptographic Algorithm: org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/KeyPairGeneratorSpi.java:1
Details: This function uses the brainpoolP256r1() function, which uses a hash algorithm that is considered weak. In recent years, researchers have demonstrated ways to breach many uses of previously-thought-safe hash functions such as MD5. Consider using a stronger algorithm in order to prevent attackers from being able to manipulate hash results. If this algorithm is being used to hash passwords, then consider using a strong computationally-hard algorithm such as PBKDF2 or bcrypt instead of a plain hashing algorithm. References: CWE
https://downloads.veracode.com/securityscan/cwe/v4/java/327.html
CWE-327: Use of a Broken or Risky Cryptographic Algorithm: org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/KeyPairGeneratorSpi.java:1
Details: This function uses the brainpoolP256r1() function, which uses a hash algorithm that is considered weak. In recent years, researchers have demonstrated ways to breach many uses of previously-thought-safe hash functions such as MD5. Consider using a stronger algorithm in order to prevent attackers from being able to manipulate hash results. If this algorithm is being used to hash passwords, then consider using a strong computationally-hard algorithm such as PBKDF2 or bcrypt instead of a plain hashing algorithm. References: CWE
https://downloads.veracode.com/securityscan/cwe/v4/java/327.html
CWE-327: Use of a Broken or Risky Cryptographic Algorithm: org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/KeyPairGeneratorSpi.java:1
Details: This function uses the P-256() function, which uses a hash algorithm that is considered weak. In recent years, researchers have demonstrated ways to breach many uses of previously-thought-safe hash functions such as MD5. Consider using a stronger algorithm in order to prevent attackers from being able to manipulate hash results. If this algorithm is being used to hash passwords, then consider using a strong computationally-hard algorithm such as PBKDF2 or bcrypt instead of a plain hashing algorithm. References: CWE
https://downloads.veracode.com/securityscan/cwe/v4/java/327.html
CWE-326: Inadequate Encryption Strength: org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/KeyPairGeneratorSpi.java:1
Details: The key size specified for this algorithm is not large enough to protect it from brute force attacks. For symmetric and message authentication code algorithms use a key size >= 128 bits, for RSA use a key size >= 2048 bits, and for ellitpic curve based algorithms use a key size >= 256 bits. References: CWE
https://downloads.veracode.com/securityscan/cwe/v4/java/326.html
CWE-326: Inadequate Encryption Strength: org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/KeyPairGeneratorSpi.java:1
Details: The key size specified for this algorithm is not large enough to protect it from brute force attacks. For symmetric and message authentication code algorithms use a key size >= 128 bits, for RSA use a key size >= 2048 bits, and for ellitpic curve based algorithms use a key size >= 256 bits. References: CWE
https://downloads.veracode.com/securityscan/cwe/v4/java/326.html
CWE-326: Inadequate Encryption Strength: org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/KeyPairGeneratorSpi.java:1
Details: The key size specified for this algorithm is not large enough to protect it from brute force attacks. For symmetric and message authentication code algorithms use a key size >= 128 bits, for RSA use a key size >= 2048 bits, and for ellitpic curve based algorithms use a key size >= 256 bits. References: CWE
https://downloads.veracode.com/securityscan/cwe/v4/java/326.html
CWE-326: Inadequate Encryption Strength: org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/KeyPairGeneratorSpi.java:1
Details: The key size specified for this algorithm is not large enough to protect it from brute force attacks. For symmetric and message authentication code algorithms use a key size >= 128 bits, for RSA use a key size >= 2048 bits, and for ellitpic curve based algorithms use a key size >= 256 bits. References: CWE
https://downloads.veracode.com/securityscan/cwe/v4/java/326.html
-----------------------------------
Skipping 20 issues of Low severity.
-----------------------------------
**
Total flaws found: 60, New flaws found: 40 as compared to baseline
**
=========================
FAILURE: Found 40 issues!
=========================
[08 May 2024 13:35:49,0978] PIPELINE-SCAN INFO: Writing Scan Summary to file '/home/runner/work/alfresco-transform-core/alfresco-transform-core/results.json'.
Scan Summary:
PIPELINE_SCAN_VERSION: 24.4.0-0
DEV-STAGE: DEVELOPMENT
PROJECT-NAME: alfresco-transform-core
SCAN_ID: 3527c15f-f910-4521-914c-1b8748453714
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 1872 bytes
====================
Analysis Successful.
====================
==========================
Found 5 Scannable modules.
==========================
JS files within alfresco-transform-core-aio-5.1.2-A1-SNAPSHOT-javadoc.jar
JS files within jwarc-0.29.0.jar
engines/aio/target/alfresco-transform-core-aio-5.1.2-A1-SNAPSHOT.jar
JS files within alfresco-base-t-engine-5.1.2-A1-SNAPSHOT-javadoc.jar
JS files within alfresco-transform-model-5.1.2-A1-SNAPSHOT-javadoc.jar
===================
Analyzed 5 modules.
===================
JS files within alfresco-transform-core-aio-5.1.2-A1-SNAPSHOT-javadoc.jar
JS files within jwarc-0.29.0.jar
engines/aio/target/alfresco-transform-core-aio-5.1.2-A1-SNAPSHOT.jar
JS files within alfresco-base-t-engine-5.1.2-A1-SNAPSHOT-javadoc.jar
JS files within alfresco-transform-model-5.1.2-A1-SNAPSHOT-javadoc.jar
==================
Analyzed 1 issues.
==================
details
----------------------------------
Found 1 issues of Medium severity.
----------------------------------
CWE-327: Use of a Broken or Risky Cryptographic Algorithm: aj/org/objectweb/asm/commons/SerialVersionUIDAdder.java:426
Details: This function uses the SHA() function, which uses a hash algorithm that is considered weak. In recent years, researchers have demonstrated ways to breach many uses of previously-thought-safe hash functions such as MD5. Consider using a stronger algorithm in order to prevent attackers from being able to manipulate hash results. If this algorithm is being used to hash passwords, then consider using a strong computationally-hard algorithm such as PBKDF2 or bcrypt instead of a plain hashing algorithm. References: CWE
https://downloads.veracode.com/securityscan/cwe/v4/java/327.html
****
Total flaws found: 1, New flaws found: 1 as compared to baseline
****
========================
FAILURE: Found 1 issues!
========================
[08 May 2024 13:20:44,0719] PIPELINE-SCAN INFO: Writing Scan Summary to file '/home/runner/work/alfresco-transform-core/alfresco-transform-core/results.json'.