Bad hex conversion on digest array detected

Description

The application currently utilizes Integer.toHexString on a digest array buffer, potentially resulting in inaccurate values.

Remediations

❌ Avoid using Integer.toHexString for hexadecimal representation due to potential inaccuracies.

✅ For Java 17 and above, leverage the java.util.HexFormat object for improved handling of hexadecimal representation

MessageDigest sha256Digest = MessageDigest.getInstance("SHA-256");
sha256Digest.update("hello world".getBytes(StandardCharsets.UTF_8));
byte[] output = sha256Digest.digest();

HexFormat hex = HexFormat.of();
String hexString = hex.formatHex(output);

For older Java applications, consider using javax.xml.bind.DatatypeConverter as an alternative.

Resources

Associated CWE

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_bad_hex_conversion

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_bad_hex_conversion

Ready to take the next step? Learn more about Bearer Cloud.