Hello, As part of some research about the common crypto mistakes that developers make <https://cs.ucsb.edu/~chris/research/doc/ccs13_cryptolint.pdf>, I noticed that your application has one of them.
In particular, there's a violation of Rule 3 in org.apache.kylin.common.util.EncryptUtil <https://github.com/apache/kylin/blob/5552164ba09eba989b9ddccdf3f1e4f83ed0b799/core-common/src/main/java/org/apache/kylin/common/util/EncryptUtil.java#L36>. That is, SecretKeySpec is being initialized with a constant key <https://github.com/apache/kylin/blob/5552164ba09eba989b9ddccdf3f1e4f83ed0b799/core-common/src/main/java/org/apache/kylin/common/util/EncryptUtil.java#L30> instead of a randomly generated one. One solution would be to generate a key using SecureRandom: > byte[] key = new byte[16]; > new SecureRandom.nextBytes(key);
