Scala Hardcoded Initialization Vector
Description
Detects the use of hardcoded initialization vectors (IVs) in cryptographic operations in Scala code. Using hardcoded IVs instead of random ones severely weakens encryption security since it makes the ciphertext predictable and vulnerable to cryptographic attacks.
Detection Strategy
• Checks if javax.crypto library is imported in the source code
• Identifies calls to 'init' method on Cipher instances
• Verifies if the third argument passed to the init method is a hardcoded IvParameterSpec
• Reports a vulnerability when cryptographic operations use static/hardcoded initialization vectors instead of randomly generated ones
Vulnerable code example
import javax.crypto.Cipher
import javax.crypto.spec.IvParameterSpec
import javax.crypto.spec.SecretKeySpec
def encrypt(data: String, key: String): Array[Byte] = {
val staticIv = "0123456789abcdef" // Vulnerable: Using hardcoded static IV
val cipher = Cipher.getInstance("AES/CBC/PKCS5Padding")...✅ Secure code example
import java.security.SecureRandom
import javax.crypto.Cipher
import javax.crypto.spec.IvParameterSpec
import javax.crypto.spec.SecretKeySpec
def encrypt(data: String, key: String): (Array[Byte], Array[Byte]) = {
val iv = new Array[Byte](16)
new SecureRandom().nextBytes(iv) // Safe: Using SecureRandom for IV generation...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.