From f840f6104a2538c986a067582e1f80b45568d037 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Fri, 26 Jun 2026 14:07:15 +0100 Subject: [PATCH 1/4] Java: Make some $ Source annotations query specific. --- .../examples/BadMacUse/BadMacOrderDecryptThenMac.expected | 4 +--- .../examples/BadMacUse/BadMacOrderDecryptToMac.expected | 2 -- .../BadMacUse/BadMacOrderMacOnEncryptPlaintext.expected | 2 -- .../query-tests/quantum/examples/BadMacUse/BadMacUse.java | 6 +++--- .../examples/WeakOrUnknownKDFIterationCount/Test.java | 2 +- .../WeakKDFIterationCount.expected | 2 -- 6 files changed, 5 insertions(+), 13 deletions(-) diff --git a/java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacOrderDecryptThenMac.expected b/java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacOrderDecryptThenMac.expected index af36477b9172..c96f970557e2 100644 --- a/java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacOrderDecryptThenMac.expected +++ b/java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacOrderDecryptThenMac.expected @@ -30,7 +30,5 @@ nodes | BadMacUse.java:152:42:152:51 | ciphertext | semmle.label | ciphertext | subpaths testFailures -| BadMacUse.java:50:56:50:66 | // $ Source | Missing result: Source | -| BadMacUse.java:63:118:63:128 | // $ Source | Missing result: Source | | BadMacUse.java:92:31:92:35 | bytes : byte[] | Unexpected result: Source | -| BadMacUse.java:146:95:146:105 | // $ Source | Missing result: Source | +| BadMacUse.java:146:95:146:159 | // $ Source[java/quantum/examples/bad-mac-order-decrypt-then-mac] | Missing result: Source[java/quantum/examples/bad-mac-order-decrypt-then-mac] | diff --git a/java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacOrderDecryptToMac.expected b/java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacOrderDecryptToMac.expected index 6fcff81b7f6a..dad00fce4106 100644 --- a/java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacOrderDecryptToMac.expected +++ b/java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacOrderDecryptToMac.expected @@ -31,7 +31,5 @@ nodes | BadMacUse.java:124:42:124:51 | ciphertext | semmle.label | ciphertext | subpaths testFailures -| BadMacUse.java:63:118:63:128 | // $ Source | Missing result: Source | | BadMacUse.java:92:16:92:36 | doFinal(...) : byte[] | Unexpected result: Source | | BadMacUse.java:124:42:124:51 | ciphertext | Unexpected result: Alert | -| BadMacUse.java:146:95:146:105 | // $ Source | Missing result: Source | diff --git a/java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacOrderMacOnEncryptPlaintext.expected b/java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacOrderMacOnEncryptPlaintext.expected index 2daa6405cd05..4dd13879d640 100644 --- a/java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacOrderMacOnEncryptPlaintext.expected +++ b/java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacOrderMacOnEncryptPlaintext.expected @@ -45,7 +45,5 @@ nodes | BadMacUse.java:152:42:152:51 | ciphertext | semmle.label | ciphertext | subpaths testFailures -| BadMacUse.java:50:56:50:66 | // $ Source | Missing result: Source | | BadMacUse.java:139:79:139:90 | input : byte[] | Unexpected result: Source | -| BadMacUse.java:146:95:146:105 | // $ Source | Missing result: Source | | BadMacUse.java:152:42:152:51 | ciphertext | Unexpected result: Alert | diff --git a/java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacUse.java b/java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacUse.java index 4c1ae5b36215..56a2c1120107 100644 --- a/java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacUse.java +++ b/java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacUse.java @@ -47,7 +47,7 @@ public void BadDecryptThenMacOnPlaintextVerify(byte[] encryptionKeyBytes, byte[] SecretKey encryptionKey = new SecretKeySpec(encryptionKeyBytes, "AES"); Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding"); cipher.init(Cipher.DECRYPT_MODE, encryptionKey, new SecureRandom()); - byte[] plaintext = cipher.doFinal(ciphertext); // $ Source + byte[] plaintext = cipher.doFinal(ciphertext); // $ Source[java/quantum/examples/bad-mac-order-decrypt-to-mac] // Now verify MAC (too late) SecretKey macKey = new SecretKeySpec(macKeyBytes, "HmacSHA256"); @@ -60,7 +60,7 @@ public void BadDecryptThenMacOnPlaintextVerify(byte[] encryptionKeyBytes, byte[] } } - public void BadMacOnPlaintext(byte[] encryptionKeyBytes, byte[] macKeyBytes, byte[] plaintext) throws Exception {// $ Source + public void BadMacOnPlaintext(byte[] encryptionKeyBytes, byte[] macKeyBytes, byte[] plaintext) throws Exception {// $ Source[java/quantum/examples/bad-mac-order-encrypt-plaintext-also-in-mac] // Create keys directly from provided byte arrays SecretKey encryptionKey = new SecretKeySpec(encryptionKeyBytes, "AES"); SecretKey macKey = new SecretKeySpec(macKeyBytes, "HmacSHA256"); @@ -143,7 +143,7 @@ public void decryptThenMac(byte[] encryptionKeyBytes, byte[] macKeyBytes, byte[] byte[] receivedMac = Arrays.copyOfRange(input, input.length - macLength, input.length); // Decrypt first (unsafe) - byte[] plaintext = decryptUsingWrapper(ciphertext, encryptionKeyBytes, new byte[16]); // $ Source + byte[] plaintext = decryptUsingWrapper(ciphertext, encryptionKeyBytes, new byte[16]); // $ Source[java/quantum/examples/bad-mac-order-decrypt-then-mac] // Now verify MAC (too late) SecretKey macKey = new SecretKeySpec(macKeyBytes, "HmacSHA256"); diff --git a/java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownKDFIterationCount/Test.java b/java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownKDFIterationCount/Test.java index 50bc113b9000..f2c71faf4353 100644 --- a/java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownKDFIterationCount/Test.java +++ b/java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownKDFIterationCount/Test.java @@ -40,7 +40,7 @@ public void pbkdf2LowIteration(String password) throws Exception { * SAST/CBOM: - Parent: PBKDF2. - Iteration count is only 10, which is far * below acceptable security standards. - Flagged as insecure. */ - public void pbkdf2LowIteration(String password, int iterationCount) throws Exception { // $ Source + public void pbkdf2LowIteration(String password, int iterationCount) throws Exception { // $ Source[java/quantum/examples/unknown-kdf-iteration-count] byte[] salt = generateSalt(16); PBEKeySpec spec = new PBEKeySpec(password.toCharArray(), salt, iterationCount, 256); // $ Alert[java/quantum/examples/unknown-kdf-iteration-count] SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256"); diff --git a/java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownKDFIterationCount/WeakKDFIterationCount.expected b/java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownKDFIterationCount/WeakKDFIterationCount.expected index cd19c73a6653..6918a04bece3 100644 --- a/java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownKDFIterationCount/WeakKDFIterationCount.expected +++ b/java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownKDFIterationCount/WeakKDFIterationCount.expected @@ -12,5 +12,3 @@ nodes | Test.java:58:30:58:38 | 1_000_000 : Number | semmle.label | 1_000_000 : Number | | Test.java:59:72:59:85 | iterationCount | semmle.label | iterationCount | subpaths -testFailures -| Test.java:43:92:43:102 | // $ Source | Missing result: Source | From 300e48e48ebed6d734ff15a1867f05112ddf3f3b Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Fri, 26 Jun 2026 14:11:45 +0100 Subject: [PATCH 2/4] Java: Move $ Source annotations that were incorrectly placed. --- .../examples/BadMacUse/BadMacOrderDecryptThenMac.expected | 3 --- .../query-tests/quantum/examples/BadMacUse/BadMacUse.java | 4 ++-- .../quantum/examples/WeakOrUnknownKDFIterationCount/Test.java | 4 ++-- .../UnknownKDFIterationCount.expected | 4 ---- 4 files changed, 4 insertions(+), 11 deletions(-) diff --git a/java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacOrderDecryptThenMac.expected b/java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacOrderDecryptThenMac.expected index c96f970557e2..dc4f64411c42 100644 --- a/java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacOrderDecryptThenMac.expected +++ b/java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacOrderDecryptThenMac.expected @@ -29,6 +29,3 @@ nodes | BadMacUse.java:146:48:146:57 | ciphertext : byte[] | semmle.label | ciphertext : byte[] | | BadMacUse.java:152:42:152:51 | ciphertext | semmle.label | ciphertext | subpaths -testFailures -| BadMacUse.java:92:31:92:35 | bytes : byte[] | Unexpected result: Source | -| BadMacUse.java:146:95:146:159 | // $ Source[java/quantum/examples/bad-mac-order-decrypt-then-mac] | Missing result: Source[java/quantum/examples/bad-mac-order-decrypt-then-mac] | diff --git a/java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacUse.java b/java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacUse.java index 56a2c1120107..53c549b18dc3 100644 --- a/java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacUse.java +++ b/java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacUse.java @@ -89,7 +89,7 @@ public byte[] cipherOperationWrapper(byte[] bytes, byte[] encryptionKeyBytes, by IvParameterSpec ivParameterSpec = new IvParameterSpec(iv); cipher.init(mode, secretKeySpec, ivParameterSpec); - return cipher.doFinal(bytes); + return cipher.doFinal(bytes); // $ Source[java/quantum/examples/bad-mac-order-decrypt-then-mac] } /** @@ -143,7 +143,7 @@ public void decryptThenMac(byte[] encryptionKeyBytes, byte[] macKeyBytes, byte[] byte[] receivedMac = Arrays.copyOfRange(input, input.length - macLength, input.length); // Decrypt first (unsafe) - byte[] plaintext = decryptUsingWrapper(ciphertext, encryptionKeyBytes, new byte[16]); // $ Source[java/quantum/examples/bad-mac-order-decrypt-then-mac] + byte[] plaintext = decryptUsingWrapper(ciphertext, encryptionKeyBytes, new byte[16]); // Now verify MAC (too late) SecretKey macKey = new SecretKeySpec(macKeyBytes, "HmacSHA256"); diff --git a/java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownKDFIterationCount/Test.java b/java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownKDFIterationCount/Test.java index f2c71faf4353..7fa9c1f99efb 100644 --- a/java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownKDFIterationCount/Test.java +++ b/java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownKDFIterationCount/Test.java @@ -42,9 +42,9 @@ public void pbkdf2LowIteration(String password) throws Exception { */ public void pbkdf2LowIteration(String password, int iterationCount) throws Exception { // $ Source[java/quantum/examples/unknown-kdf-iteration-count] byte[] salt = generateSalt(16); - PBEKeySpec spec = new PBEKeySpec(password.toCharArray(), salt, iterationCount, 256); // $ Alert[java/quantum/examples/unknown-kdf-iteration-count] + PBEKeySpec spec = new PBEKeySpec(password.toCharArray(), salt, iterationCount, 256); SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256"); - byte[] key = factory.generateSecret(spec).getEncoded(); + byte[] key = factory.generateSecret(spec).getEncoded(); // $ Alert[java/quantum/examples/unknown-kdf-iteration-count] } /** diff --git a/java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownKDFIterationCount/UnknownKDFIterationCount.expected b/java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownKDFIterationCount/UnknownKDFIterationCount.expected index 192393ad0280..778cb1aa79e5 100644 --- a/java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownKDFIterationCount/UnknownKDFIterationCount.expected +++ b/java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownKDFIterationCount/UnknownKDFIterationCount.expected @@ -1,5 +1 @@ -#select | Test.java:47:22:47:49 | KeyDerivation | Key derivation operation with unknown iteration: $@ | Test.java:43:53:43:70 | iterationCount | iterationCount | -testFailures -| Test.java:45:94:45:154 | // $ Alert[java/quantum/examples/unknown-kdf-iteration-count] | Missing result: Alert[java/quantum/examples/unknown-kdf-iteration-count] | -| Test.java:47:22:47:49 | Key derivation operation with unknown iteration: $@ | Unexpected result: Alert | From 6f997ae15c39e27a622fd58e3dd7d4a71c5304b2 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Fri, 26 Jun 2026 14:15:11 +0100 Subject: [PATCH 3/4] Java: Label spurious results. --- .../examples/BadMacUse/BadMacOrderDecryptToMac.expected | 1 - .../BadMacUse/BadMacOrderMacOnEncryptPlaintext.expected | 3 --- .../query-tests/quantum/examples/BadMacUse/BadMacUse.java | 6 +++--- 3 files changed, 3 insertions(+), 7 deletions(-) diff --git a/java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacOrderDecryptToMac.expected b/java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacOrderDecryptToMac.expected index dad00fce4106..edbf2b43e907 100644 --- a/java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacOrderDecryptToMac.expected +++ b/java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacOrderDecryptToMac.expected @@ -32,4 +32,3 @@ nodes subpaths testFailures | BadMacUse.java:92:16:92:36 | doFinal(...) : byte[] | Unexpected result: Source | -| BadMacUse.java:124:42:124:51 | ciphertext | Unexpected result: Alert | diff --git a/java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacOrderMacOnEncryptPlaintext.expected b/java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacOrderMacOnEncryptPlaintext.expected index 4dd13879d640..3c6a7e6ae20b 100644 --- a/java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacOrderMacOnEncryptPlaintext.expected +++ b/java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacOrderMacOnEncryptPlaintext.expected @@ -44,6 +44,3 @@ nodes | BadMacUse.java:146:48:146:57 | ciphertext : byte[] [[]] : Object | semmle.label | ciphertext : byte[] [[]] : Object | | BadMacUse.java:152:42:152:51 | ciphertext | semmle.label | ciphertext | subpaths -testFailures -| BadMacUse.java:139:79:139:90 | input : byte[] | Unexpected result: Source | -| BadMacUse.java:152:42:152:51 | ciphertext | Unexpected result: Alert | diff --git a/java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacUse.java b/java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacUse.java index 53c549b18dc3..2786d0598057 100644 --- a/java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacUse.java +++ b/java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacUse.java @@ -121,7 +121,7 @@ public byte[] falsePositiveDecryptToMac(byte[] encryptionKeyBytes, byte[] macKey SecretKey macKey = new SecretKeySpec(macKeyBytes, "HmacSHA256"); Mac mac = Mac.getInstance("HmacSHA256"); mac.init(macKey); - byte[] computedMac = mac.doFinal(ciphertext); // False Positive + byte[] computedMac = mac.doFinal(ciphertext); // $ SPURIOUS: Alert[java/quantum/examples/bad-mac-order-decrypt-to-mac] // Concatenate ciphertext and MAC byte[] output = new byte[ciphertext.length + computedMac.length]; @@ -136,7 +136,7 @@ public byte[] falsePositiveDecryptToMac(byte[] encryptionKeyBytes, byte[] macKey * The function decrypts THEN computes the MAC on the plaintext. * It should have the MAC computed on the ciphertext first. */ - public void decryptThenMac(byte[] encryptionKeyBytes, byte[] macKeyBytes, byte[] input) throws Exception { + public void decryptThenMac(byte[] encryptionKeyBytes, byte[] macKeyBytes, byte[] input) throws Exception { // $ SPURIOUS: Source[java/quantum/examples/bad-mac-order-encrypt-plaintext-also-in-mac] // Split input into ciphertext and MAC int macLength = 32; // HMAC-SHA256 output length byte[] ciphertext = Arrays.copyOfRange(input, 0, input.length - macLength); @@ -149,7 +149,7 @@ public void decryptThenMac(byte[] encryptionKeyBytes, byte[] macKeyBytes, byte[] SecretKey macKey = new SecretKeySpec(macKeyBytes, "HmacSHA256"); Mac mac = Mac.getInstance("HmacSHA256"); mac.init(macKey); - byte[] computedMac = mac.doFinal(ciphertext); // $ Alert[java/quantum/examples/bad-mac-order-decrypt-then-mac], False positive for Plaintext reuse + byte[] computedMac = mac.doFinal(ciphertext); // $ Alert[java/quantum/examples/bad-mac-order-decrypt-then-mac] SPURIOUS: Alert[java/quantum/examples/bad-mac-order-encrypt-plaintext-also-in-mac] if (!MessageDigest.isEqual(receivedMac, computedMac)) { throw new SecurityException("MAC verification failed"); From 897d16929b7a628672ad7565d31e469cbd6598e3 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Fri, 26 Jun 2026 15:48:11 +0100 Subject: [PATCH 4/4] Java: Add missing $ Source annotations. --- .../quantum/examples/BadMacUse/BadMacOrderDecryptToMac.expected | 2 -- .../query-tests/quantum/examples/BadMacUse/BadMacUse.java | 2 +- .../InsecureIVorNonceSource.expected | 2 -- .../InsecureOrUnknownNonceSource/InsecureIVorNonceSource.java | 2 +- 4 files changed, 2 insertions(+), 6 deletions(-) diff --git a/java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacOrderDecryptToMac.expected b/java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacOrderDecryptToMac.expected index edbf2b43e907..7cbaef3bd02d 100644 --- a/java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacOrderDecryptToMac.expected +++ b/java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacOrderDecryptToMac.expected @@ -30,5 +30,3 @@ nodes | BadMacUse.java:118:83:118:84 | iv : byte[] | semmle.label | iv : byte[] | | BadMacUse.java:124:42:124:51 | ciphertext | semmle.label | ciphertext | subpaths -testFailures -| BadMacUse.java:92:16:92:36 | doFinal(...) : byte[] | Unexpected result: Source | diff --git a/java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacUse.java b/java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacUse.java index 2786d0598057..c2bd2e61c2eb 100644 --- a/java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacUse.java +++ b/java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacUse.java @@ -89,7 +89,7 @@ public byte[] cipherOperationWrapper(byte[] bytes, byte[] encryptionKeyBytes, by IvParameterSpec ivParameterSpec = new IvParameterSpec(iv); cipher.init(mode, secretKeySpec, ivParameterSpec); - return cipher.doFinal(bytes); // $ Source[java/quantum/examples/bad-mac-order-decrypt-then-mac] + return cipher.doFinal(bytes); // $ Source[java/quantum/examples/bad-mac-order-decrypt-then-mac] Source[java/quantum/examples/bad-mac-order-decrypt-to-mac] } /** diff --git a/java/ql/test/experimental/query-tests/quantum/examples/InsecureOrUnknownNonceSource/InsecureIVorNonceSource.expected b/java/ql/test/experimental/query-tests/quantum/examples/InsecureOrUnknownNonceSource/InsecureIVorNonceSource.expected index 3ad1b08e4762..548298279752 100644 --- a/java/ql/test/experimental/query-tests/quantum/examples/InsecureOrUnknownNonceSource/InsecureIVorNonceSource.expected +++ b/java/ql/test/experimental/query-tests/quantum/examples/InsecureOrUnknownNonceSource/InsecureIVorNonceSource.expected @@ -126,5 +126,3 @@ nodes | InsecureIVorNonceSource.java:202:54:202:55 | iv : byte[] | semmle.label | iv : byte[] | | InsecureIVorNonceSource.java:206:51:206:56 | ivSpec | semmle.label | ivSpec | subpaths -testFailures -| InsecureIVorNonceSource.java:42:21:42:21 | 1 : Number | Unexpected result: Source | diff --git a/java/ql/test/experimental/query-tests/quantum/examples/InsecureOrUnknownNonceSource/InsecureIVorNonceSource.java b/java/ql/test/experimental/query-tests/quantum/examples/InsecureOrUnknownNonceSource/InsecureIVorNonceSource.java index f9474681d196..b8f64e56616f 100644 --- a/java/ql/test/experimental/query-tests/quantum/examples/InsecureOrUnknownNonceSource/InsecureIVorNonceSource.java +++ b/java/ql/test/experimental/query-tests/quantum/examples/InsecureOrUnknownNonceSource/InsecureIVorNonceSource.java @@ -39,7 +39,7 @@ public byte[] encryptWithZeroStaticIvByteArray(byte[] key, byte[] plaintext) thr public byte[] encryptWithStaticIvByteArray(byte[] key, byte[] plaintext) throws Exception { byte[] iv = new byte[16]; for (byte i = 0; i < iv.length; i++) { - iv[i] = 1; + iv[i] = 1; // $ Source[java/quantum/examples/insecure-iv-or-nonce] } IvParameterSpec ivSpec = new IvParameterSpec(iv);