You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
During an empirical study to understand the nature of cryptographic misuses in enterprise-driven projects on GitHub, we randomly inspected a few of the misuses. One of the misuses for which we could confirm as a true positive of the analysis, CogniCryptSAST, is in this project.
com.onelogin.saml2.util.Util.java. In the method loadPrivateKey a string (Line 576) is passed as a secret key that is considered insecure. In Java, strings are immutable and stay in memory until collected by Java's garbage collector. Thus, they are longer visible in memory for attackers than necessary and outside of the direct control of the developer.The suggested data types by the JCA are bytes. [JCA Documentation]
We hope that this information will help you and we looking forward to your response.
The text was updated successfully, but these errors were encountered:
During an empirical study to understand the nature of cryptographic misuses in enterprise-driven projects on GitHub, we randomly inspected a few of the misuses. One of the misuses for which we could confirm as a true positive of the analysis, CogniCryptSAST, is in this project.
We hope that this information will help you and we looking forward to your response.
The text was updated successfully, but these errors were encountered: