Hei dear maintainers, For a benchmark [1], we randomly sampled JCA usages to decide if the API usage is a violation of any API usage constraint. We believe we found one for the JCA class CipherInputStream. The call to *close* is missing for the call sequence to *CipherInputStream*. Thus, the input stream including the ressources of the stream are not released. [More Details in the JDK 17 documentation](https://docs.oracle.com/en/java/javase/17/docs/api/java.base/javax/crypto/CipherInputStream.html) The instance that we sampled is located in: - file: pdfbox/pdfbox/src/main/java/org/apache/pdfbox/pdmodel/encryption/SecurityHandler.java - method: private void encryptDataAES256(InputStream data, OutputStream output, boolean decrypt) throws IOException - line: 379
To the best of my knowledge, this JCA usage does not result in a vulnerability (directly). However, it violates the API constraint discussed above. Therefore, we consider adding this usage as a violation into the benchmark. Best, Anna-Katharina Wickert For the CamBench team [1] https://github.com/CROSSINGTUD/CamBench
signature.asc
Description: Message signed with OpenPGP