[
https://issues.apache.org/jira/browse/VFS-551?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Bernd Eckenfels resolved VFS-551.
---------------------------------
Resolution: Fixed
Fix Version/s: (was: 2.0)
2.1
Assignee: Bernd Eckenfels
I am not sure why "AES" (128) is considered "broken" or "risky"?
However the DegaultCryptor.java is used to obfuscate a password in the URL
(when manually called) It uses a fixed key and can therefore not be considered
cryptographic quality. I would not use it for such. I consider this a false
positive alert and close the bug as I don't know what could improve this
situation. I did add a warning in Javadoc, therefore closing this as fixed.
> BUG - Use of a Broken or Risky Cryptographic Algorithm - DefaultCryptor.java
> ----------------------------------------------------------------------------
>
> Key: VFS-551
> URL: https://issues.apache.org/jira/browse/VFS-551
> Project: Commons VFS
> Issue Type: Bug
> Affects Versions: 2.0
> Reporter: David Camilo Espitia Manrique
> Assignee: Bernd Eckenfels
> Fix For: 2.1
>
>
> Good day,
> We are currently using "Commons-vfs2-2.0" and in the analysis of veracode
> found this bug in DefaultCryptor.java (near to the line 52) in this class,
> used "AES":
> Description:
> The use of a broken or risky cryptographic algorithm is an unnecessary risk
> that may result in the disclosure of sensitive information.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
