Use of NullCipher
Description
The application uses a `NullCipher` instance, which implements the `Cipher` interface by returning ciphertext identical to the supplied plaintext. This means any data passed to the `doFinal(...)` or `update(...)` methods will not actually encrypt the input.
Examples
Insecure Code
java
new javax.crypto.NullCipher()Secure Code
java
Cipher chaChaCipher = Cipher.getInstance("ChaCha20-Poly1305/None/NoPadding");Remediation
Replace the `NullCipher` instance with a legitimate `Cipher` instance, such as `ChaCha20-Poly1305`.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0694 |
| Category | Crypto |
| Severity | MEDIUM |
| CWE | CWE-327 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | cryptography, encryption |
| OWASP | A3:2017-Sensitive Data Exposure, A02:2021-Cryptographic Failures |