Thanks to visit codestin.com
Credit goes to github.com

Skip to content

STATIC_IV false positive #765

Open
Open
STATIC_IV false positive#765
Labels
false-positiveSomething that should not report.
@ChristopherSchultz

Description

@ChristopherSchultz
ChristopherSchultz
opened on Aug 26, 2025

Environment

Component Version
Java 24
SpotBugs 4.9.4
FindSecBugs 1.14.0

Problem

This code triggers STATIC_IV error when I believe it should not.

        private AlgorithmParameterSpec getKeyParameters(byte[] iv) {
            if("GCM".equals(getAlgorithmMode()))
                return new GCMParameterSpec(128, iv, 0, iv.length);
            else
                return new IvParameterSpec(iv, 0, iv.length);
        }

I checked, and all of the calls through this class are using an iv either passed-in from a caller (e.g. for decryption), or generated locally using a random source (encryption).

Metadata

Metadata

Assignees

No one assigned

    Labels

    false-positiveSomething that should not report.

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions