Scala Hardcoded Keyparameter Use
Description
This detector identifies hardcoded cryptographic keys passed to BouncyCastle's KeyParameter constructor in Scala code. Hardcoded keys pose a severe security risk as they are embedded in source code, making them easily discoverable by attackers and impossible to rotate without code changes.
Detection Strategy
• The code must import BouncyCastle's KeyParameter class (from org.bouncycastle.crypto.params package) either explicitly or through wildcard imports
• A KeyParameter constructor call must be present in the code
• The first argument to the KeyParameter constructor must be a hardcoded value (string literal, byte array literal, or other compile-time constant)
• The detector examines each KeyParameter instantiation and flags those where the key material is statically defined rather than dynamically loaded from secure storage
Vulnerable code example
import org.bouncycastle.crypto.params.KeyParameter
object CryptoExample {
def createKey(): KeyParameter = {
// VULNERABLE: Hardcoded key makes encryption predictable
new KeyParameter(Array[Byte](1,2,3,4,5,6,7,8,1,2,3,4,5,6,7,8))
}
...✅ Secure code example
import java.security.SecureRandom
import org.bouncycastle.crypto.params.KeyParameter
object CryptoExample {
def createKey(): KeyParameter = {
val key = new Array[Byte](16)
new SecureRandom().nextBytes(key) // SAFE: Generate random key at runtime
new KeyParameter(key)...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.