paho.mqtt.java icon indicating copy to clipboard operation
paho.mqtt.java copied to clipboard

Published 20 hours ago verified publisher icon eclipse

Not properly generated randomised for SSLContext

Open akwick opened this issue 2 years ago • 0 comments

Please fill out the form below before submitting, thank you!

  • [ ] Bug exists Release Version 1.2.5 ( Master Branch)
  • [ ] Bug exists in MQTTv3 Client on Snapshot Version 1.2.6-SNAPSHOT (Develop Branch)
  • [x] Bug exists in MQTTv5 Client on Snapshot Version 1.2.6-SNAPSHOT (Develop Branch)

During an empirical study to understand the nature of cryptographic misuses in enterprise-driven projects on GitHub, we randomly inspected a few of the misuses. One of the misuses for which we could confirm as a true positive of the analysis, CogniCryptSAST, is in this project. In the class SSLSocketFactoryFactory the initialization of the SSLContext passes a not properly generated randomized (null).

Expected behavior: A properly generated randomized is passed Observed behavior: Null is passed

How to Reproduce:

  • Apply CogniCryptSAST to the project
  • Inspect the misuses reported

akwick avatar Apr 27 '22 09:04 akwick