Reiview suggestions - add doc comment, reword description, simplify a part

2025-12-24 04:36:35 +01:00 · 2022-07-19 14:50:12 +01:00
parent a62bb8e115
commit bf32b5a8fd
2 changed files with 5 additions and 10 deletions
--- a/java/ql/src/Security/CWE/CWE-1204/StaticInitializationVector.ql
+++ b/java/ql/src/Security/CWE/CWE-1204/StaticInitializationVector.ql
@@ -1,12 +1,7 @@
 /**
 * @name Using a static initialization vector for encryption
- * @description A cipher needs an initialization vector (IV) in some cases,
- *              for example, when CBC or GCM modes are used. IVs are used to randomize the encryption,
- *              therefore they should be unique and ideally unpredictable.
- *              Otherwise, the same plaintexts result in same ciphertexts under a given secret key.
- *              If a static IV is used for encryption, this lets an attacker learn
- *              if the same data pieces are transferred or stored,
- *              or this can help the attacker run a dictionary attack.
+ * @description An initialization vector (IV) used for ciphers of certain modes (such as CBC or GCM) should be unique and unpredicateble.
+ *              Otherwise, if the same IV is used with a the same secret key then the same plaintext results in same ciphertext, which weakens the encryption.
 * @kind path-problem
 * @problem.severity warning
 * @precision high