During an empirical study to understand the nature of cryptographic misuses in enterprise-driven projects on GitHub, we randomly inspected a few of the misuses. One of the misuses for which we could confirm as a true positive of the analysis, CogniCryptSAST, is in this project.
In the class com.tmobile.pacman.util.CommonUtils, l. 973 , a string is passed as a secret key that is considered insecure. In Java, strings are immutable and stay in memory until collected by Java's garbage collector. Thus, they are longer visible in memory for attackers than necessary and outside of the direct control of the developer. The suggested data types by the JCA are bytes.
Reproduce steps
Execute CogniCrypt_SAST to retrieve the misuse reported above.
Expected Results
I would except no true positive from CogniCrypt_SAST.
Summary
During an empirical study to understand the nature of cryptographic misuses in enterprise-driven projects on GitHub, we randomly inspected a few of the misuses. One of the misuses for which we could confirm as a true positive of the analysis, CogniCryptSAST, is in this project.
Reproduce steps
Execute CogniCrypt_SAST to retrieve the misuse reported above.
Expected Results
I would except no true positive from CogniCrypt_SAST.
Actual Results
CogniCrypt_SAST reports misuses for the project.