Insecure use of (Hard-coded keys: embedding JWT secret in test) in JwtTokenTest.java

[A-Amyan]

We are a German research group investigating the misuse of cryptographic APIs.
We found vulnerabilities in JwtTokenTest.java at line {28}, which can lead to an attack (e.g., Trivial brute-forcing or dictionary attacks on the key material).
This is our result:

    "explanation": "Direct instantiation of javax.crypto.spec.SecretKeySpec is occurring here to create a key for cryptographic operations. This matches one of the monitored JCA API usages.",
    "cryptographicObjectType": "SecretKeySpec",
    "codeSnippet": "key = new SecretKeySpec(apiKeySecretBytes, signatureAlgorithm.getJcaName());",
    "vulnerabilityType": "Insecure",
    "correction": "Do not hardcode cryptographic keys. In this instance the key is derived from the constant string \"bdp\", making it predictable and insecure. Instead, generate or retrieve keys securely at runtime using secure key management (for example, by loading the key from an environment variable, configuration file with appropriate protections, or a dedicated key management system) to ensure that the secret is not exposed in source code.",

[nzhiwen666]

We are a German research group investigating the misuse of cryptographic APIs. We found vulnerabilities in JwtTokenTest.java at line {28}, which can lead to an attack (e.g., Trivial brute-forcing or dictionary attacks on the key material). This is our result:

"explanation": "Direct instantiation of javax.crypto.spec.SecretKeySpec is occurring here to create a key for cryptographic operations. This matches one of the monitored JCA API usages.",
"cryptographicObjectType": "SecretKeySpec",
"codeSnippet": "key = new SecretKeySpec(apiKeySecretBytes, signatureAlgorithm.getJcaName());",
"vulnerabilityType": "Insecure",
"correction": "Do not hardcode cryptographic keys. In this instance the key is derived from the constant string \"bdp\", making it predictable and insecure. Instead, generate or retrieve keys securely at runtime using secure key management (for example, by loading the key from an environment variable, configuration file with appropriate protections, or a dedicated key management system) to ensure that the secret is not exposed in source code.",

Hello, I'd like to ask where you found your database script. There's no database script here