Use .stronger() for a more secure alternative :: Recipe Details

Recipe Name:

Use .stronger() for a more secure alternative

Description:

Encryptors.stronger() is more secure than Encryptors.standard()

Level:

warning

Language:

java

Tags:

Spring
security
framework specific
Spring Security

Documentation

The Encryptor.standard() is not an authenticated mode of encryption. It does not guarantee the authenticity of the data. Encryptors.stronger() provides a much more secure alternative.

Before

Encryptors.standard(password, salt);

After

Encryptors.stronger(password, salt);

References

Recipe

id: scw:spring:encryptors:stronger
version: 10
metadata:
  name: Use .stronger() for a more secure alternative
  shortDescription: Encryptors.stronger() is more secure than Encryptors.standard()
  level: warning
  language: java
  scwCategory: broken_cryptography:use_of_insecuredeprecated_alogirthms
  enabled: true
  descriptionFile: descriptions/Usestrongerforamoresecurealternative.html
  tags: Spring;security;framework specific;Spring Security
search:
  methodcall:
    name: standard
    type: org.springframework.security.crypto.encrypt.Encryptors
availableFixes:
- name: Replace with .stronger()
  actions:
  - rewrite:
      to: '{{{ qualifier }}}.stronger{{{ argumentList }}}'