paho.mqtt.java
paho.mqtt.java copied to clipboard
Not properly generated randomised for SSLContext
Please fill out the form below before submitting, thank you!
- [ ] Bug exists Release Version 1.2.5 ( Master Branch)
- [ ] Bug exists in MQTTv3 Client on Snapshot Version 1.2.6-SNAPSHOT (Develop Branch)
- [x] Bug exists in MQTTv5 Client on Snapshot Version 1.2.6-SNAPSHOT (Develop Branch)
During an empirical study to understand the nature of cryptographic misuses in enterprise-driven projects on GitHub, we randomly inspected a few of the misuses. One of the misuses for which we could confirm as a true positive of the analysis, CogniCryptSAST, is in this project. In the class SSLSocketFactoryFactory the initialization of the SSLContext passes a not properly generated randomized (null).
Expected behavior: A properly generated randomized is passed Observed behavior: Null is passed
How to Reproduce:
- Apply CogniCryptSAST to the project
- Inspect the misuses reported