com.yubico.yubikit.android.app.databinding.ActivityMainBinding.getRoot() may expose internal representation by returning ActivityMainBinding.rootView

com.yubico.yubikit.android.app.databinding.AppBarMainBinding.getRoot() may expose internal representation by returning AppBarMainBinding.rootView

com.yubico.yubikit.android.app.databinding.FragmentWebBinding.getRoot() may expose internal representation by returning FragmentWebBinding.rootView

Exception thrown in class com.yubico.yubikit.android.transport.nfc.NfcYubiKeyManager at new com.yubico.yubikit.android.transport.nfc.NfcYubiKeyManager(Context, NfcDispatcher) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.

Exception thrown in class com.yubico.yubikit.android.transport.usb.UsbYubiKeyDevice at new com.yubico.yubikit.android.transport.usb.UsbYubiKeyDevice(UsbManager, UsbDevice) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.

Exception thrown in class com.yubico.yubikit.android.transport.usb.connection.UsbSmartCardConnection at new com.yubico.yubikit.android.transport.usb.connection.UsbSmartCardConnection(UsbDeviceConnection, UsbInterface, UsbEndpoint, UsbEndpoint) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.

Non-null field keyListener is not initialized by new com.yubico.yubikit.android.ui.OtpActivity()

Non-null field action is not initialized by new com.yubico.yubikit.android.ui.YubiKeyPromptActivity()

Non-null field cancelButton is not initialized by new com.yubico.yubikit.android.ui.YubiKeyPromptActivity()

Non-null field enableNfcButton is not initialized by new com.yubico.yubikit.android.ui.YubiKeyPromptActivity()

Non-null field helpTextView is not initialized by new com.yubico.yubikit.android.ui.YubiKeyPromptActivity()

Non-null field yubiKit is not initialized by new com.yubico.yubikit.android.ui.YubiKeyPromptActivity()

Wait not in loop in com.yubico.yubikit.core.application.CommandState.waitForCancel(long)

Exception thrown in class com.yubico.yubikit.core.fido.FidoProtocol at new com.yubico.yubikit.core.fido.FidoProtocol(FidoConnection) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.

This use of org/slf4j/Logger.trace(Ljava/lang/String;)V might be used to include CRLF characters into log messages

This use of org/slf4j/Logger.debug(Ljava/lang/String;)V might be used to include CRLF characters into log messages

This use of org/slf4j/Logger.info(Ljava/lang/String;)V might be used to include CRLF characters into log messages

This use of org/slf4j/Logger.warn(Ljava/lang/String;)V might be used to include CRLF characters into log messages

This use of org/slf4j/Logger.error(Ljava/lang/String;)V might be used to include CRLF characters into log messages

This use of org/slf4j/Logger.trace(Ljava/lang/String;Ljava/lang/Object;)V might be used to include CRLF characters into log messages

This use of org/slf4j/Logger.debug(Ljava/lang/String;Ljava/lang/Object;)V might be used to include CRLF characters into log messages

This use of org/slf4j/Logger.info(Ljava/lang/String;Ljava/lang/Object;)V might be used to include CRLF characters into log messages

This use of org/slf4j/Logger.warn(Ljava/lang/String;Ljava/lang/Object;)V might be used to include CRLF characters into log messages

This use of org/slf4j/Logger.error(Ljava/lang/String;Ljava/lang/Object;)V might be used to include CRLF characters into log messages

This use of org/slf4j/Logger.trace(Ljava/lang/String;Ljava/lang/Object;Ljava/lang/Object;)V might be used to include CRLF characters into log messages

This use of org/slf4j/Logger.debug(Ljava/lang/String;Ljava/lang/Object;Ljava/lang/Object;)V might be used to include CRLF characters into log messages

This use of org/slf4j/Logger.info(Ljava/lang/String;Ljava/lang/Object;Ljava/lang/Object;)V might be used to include CRLF characters into log messages

This use of org/slf4j/Logger.warn(Ljava/lang/String;Ljava/lang/Object;Ljava/lang/Object;)V might be used to include CRLF characters into log messages

This use of org/slf4j/Logger.error(Ljava/lang/String;Ljava/lang/Object;Ljava/lang/Object;)V might be used to include CRLF characters into log messages

This use of org/slf4j/Logger.trace(Ljava/lang/String;[Ljava/lang/Object;)V might be used to include CRLF characters into log messages

This use of org/slf4j/Logger.debug(Ljava/lang/String;[Ljava/lang/Object;)V might be used to include CRLF characters into log messages

This use of org/slf4j/Logger.info(Ljava/lang/String;[Ljava/lang/Object;)V might be used to include CRLF characters into log messages

This use of org/slf4j/Logger.warn(Ljava/lang/String;[Ljava/lang/Object;)V might be used to include CRLF characters into log messages

This use of org/slf4j/Logger.error(Ljava/lang/String;[Ljava/lang/Object;)V might be used to include CRLF characters into log messages

Exception thrown in class com.yubico.yubikit.core.keys.PrivateKeyValues$Rsa at new com.yubico.yubikit.core.keys.PrivateKeyValues$Rsa(BigInteger, BigInteger, BigInteger, BigInteger, BigInteger, BigInteger, BigInteger) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.

Exception thrown in class com.yubico.yubikit.core.keys.PublicKeyValues$Cv25519 at new com.yubico.yubikit.core.keys.PublicKeyValues$Cv25519(EllipticCurveValues, byte[]) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.

Exception thrown in class com.yubico.yubikit.core.keys.PublicKeyValues$Ec at new com.yubico.yubikit.core.keys.PublicKeyValues$Ec(EllipticCurveValues, BigInteger, BigInteger) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.

Exception thrown in class com.yubico.yubikit.core.otp.ChecksumUtils at new com.yubico.yubikit.core.otp.ChecksumUtils() will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.

Use of non-localized String.toUpperCase() or String.toLowerCase() in com.yubico.yubikit.core.otp.Modhex.decode(String)

Exception thrown in class com.yubico.yubikit.core.otp.OtpProtocol at new com.yubico.yubikit.core.otp.OtpProtocol(OtpConnection) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.

Exception thrown in class com.yubico.yubikit.core.smartcard.ApduResponse at new com.yubico.yubikit.core.smartcard.ApduResponse(byte[]) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.

Exception thrown in class com.yubico.yubikit.core.util.RandomUtils at new com.yubico.yubikit.core.util.RandomUtils() will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.

Exception thrown in class com.yubico.yubikit.core.util.StringUtils at new com.yubico.yubikit.core.util.StringUtils() will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.

Exception thrown in class com.yubico.yubikit.fido.client.BasicWebAuthnClient at new com.yubico.yubikit.fido.client.BasicWebAuthnClient(Ctap2Session) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.

com.yubico.yubikit.fido.client.BasicWebAuthnClient.getUserAgentConfiguration() may expose internal representation by returning BasicWebAuthnClient.userAgentConfiguration

com.yubico.yubikit.fido.client.BasicWebAuthnClient$UserAgentConfiguration.setEpSupportedRpIds(List) may expose internal representation by storing an externally mutable object into BasicWebAuthnClient$UserAgentConfiguration.epSupportedRpIds

Dead store to credentialIdMap in com.yubico.yubikit.fido.client.CredentialManager.getCredentials(String)

Do not catch NullPointerException like in com.yubico.yubikit.fido.client.MultipleAssertionsAvailable.getUsers()

Exception thrown in class com.yubico.yubikit.fido.ctap.Config at new com.yubico.yubikit.fido.ctap.Config(Ctap2Session, PinUvAuthProtocol, byte[]) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.

Exception thrown in class com.yubico.yubikit.fido.ctap.CredentialManagement at new com.yubico.yubikit.fido.ctap.CredentialManagement(Ctap2Session, PinUvAuthProtocol, byte[]) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.

new com.yubico.yubikit.fido.ctap.CredentialManagement(Ctap2Session, PinUvAuthProtocol, byte[]) may expose internal representation by storing an externally mutable object into CredentialManagement.pinUvToken

com.yubico.yubikit.fido.ctap.CredentialManagement$CredentialData.getCredentialId() may expose internal representation by returning CredentialManagement$CredentialData.credentialId

com.yubico.yubikit.fido.ctap.CredentialManagement$CredentialData.getPublicKey() may expose internal representation by returning CredentialManagement$CredentialData.publicKey

com.yubico.yubikit.fido.ctap.CredentialManagement$CredentialData.getUser() may expose internal representation by returning CredentialManagement$CredentialData.user

com.yubico.yubikit.fido.ctap.CredentialManagement$RpData.getRp() may expose internal representation by returning CredentialManagement$RpData.rp

com.yubico.yubikit.fido.ctap.CredentialManagement$RpData.getRpIdHash() may expose internal representation by returning CredentialManagement$RpData.rpIdHash

Exception thrown in class com.yubico.yubikit.fido.ctap.Ctap2Session at new com.yubico.yubikit.fido.ctap.Ctap2Session(Version, Ctap2Session$Backend) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.

Exception thrown in class com.yubico.yubikit.fido.ctap.Ctap2Session at new com.yubico.yubikit.fido.ctap.Ctap2Session(FidoConnection) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.

Exception thrown in class com.yubico.yubikit.fido.ctap.Ctap2Session at new com.yubico.yubikit.fido.ctap.Ctap2Session(FidoProtocol) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.

Exception thrown in class com.yubico.yubikit.fido.ctap.Ctap2Session at new com.yubico.yubikit.fido.ctap.Ctap2Session(SmartCardConnection) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.

Exception thrown in class com.yubico.yubikit.fido.ctap.Ctap2Session at new com.yubico.yubikit.fido.ctap.Ctap2Session(SmartCardConnection, Version) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.

Overridable method getInfo is called from constructor new com.yubico.yubikit.fido.ctap.Ctap2Session(Version, Ctap2Session$Backend).

com.yubico.yubikit.fido.ctap.Ctap2Session$AssertionData.getAuthenticatorData() may expose internal representation by returning Ctap2Session$AssertionData.authenticatorData

com.yubico.yubikit.fido.ctap.Ctap2Session$AssertionData.getCredential() may expose internal representation by returning Ctap2Session$AssertionData.credential

com.yubico.yubikit.fido.ctap.Ctap2Session$AssertionData.getSignature() may expose internal representation by returning Ctap2Session$AssertionData.signature

com.yubico.yubikit.fido.ctap.Ctap2Session$AssertionData.getUser() may expose internal representation by returning Ctap2Session$AssertionData.user

com.yubico.yubikit.fido.ctap.Ctap2Session$CredentialData.getAttestationStatement() may expose internal representation by returning Ctap2Session$CredentialData.attestationStatement

com.yubico.yubikit.fido.ctap.Ctap2Session$CredentialData.getAuthenticatorData() may expose internal representation by returning Ctap2Session$CredentialData.authenticatorData

com.yubico.yubikit.fido.ctap.Ctap2Session$CredentialData.getLargeBlobKey() may expose internal representation by returning Ctap2Session$CredentialData.largeBlobKey

com.yubico.yubikit.fido.ctap.Ctap2Session$InfoData.getAaguid() may expose internal representation by returning Ctap2Session$InfoData.aaguid

com.yubico.yubikit.fido.ctap.Ctap2Session$InfoData.getAlgorithms() may expose internal representation by returning Ctap2Session$InfoData.algorithms

com.yubico.yubikit.fido.ctap.Ctap2Session$InfoData.getCertifications() may expose internal representation by returning Ctap2Session$InfoData.certifications

com.yubico.yubikit.fido.ctap.Ctap2Session$InfoData.getExtensions() may expose internal representation by returning Ctap2Session$InfoData.extensions

com.yubico.yubikit.fido.ctap.Ctap2Session$InfoData.getOptions() may expose internal representation by returning Ctap2Session$InfoData.options

com.yubico.yubikit.fido.ctap.Ctap2Session$InfoData.getPinUvAuthProtocols() may expose internal representation by returning Ctap2Session$InfoData.pinUvAuthProtocols

com.yubico.yubikit.fido.ctap.Ctap2Session$InfoData.getTransports() may expose internal representation by returning Ctap2Session$InfoData.transports

com.yubico.yubikit.fido.ctap.Ctap2Session$InfoData.getVendorPrototypeConfigCommands() may expose internal representation by returning Ctap2Session$InfoData.vendorPrototypeConfigCommands

com.yubico.yubikit.fido.ctap.Ctap2Session$InfoData.getVersions() may expose internal representation by returning Ctap2Session$InfoData.versions

Exception thrown in class com.yubico.yubikit.fido.ctap.Hkdf at new com.yubico.yubikit.fido.ctap.Hkdf(String) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.

The cipher does not provide data integrity

The cipher does not provide data integrity

The initialization vector (IV) is not properly generated

The cipher does not provide data integrity

The initialization vector (IV) is not properly generated

com.yubico.yubikit.fido.webauthn.AttestationObject.getAttestationStatement() may expose internal representation by returning AttestationObject.attestationStatement

com.yubico.yubikit.fido.webauthn.AttestationObject.getLargeBlobKey() may expose internal representation by returning AttestationObject.largeBlobKey

new com.yubico.yubikit.fido.webauthn.AttestationObject(String, AuthenticatorData, Map, Boolean, byte[]) may expose internal representation by storing an externally mutable object into AttestationObject.attestationStatement

new com.yubico.yubikit.fido.webauthn.AttestationObject(String, AuthenticatorData, Map, Boolean, byte[]) may expose internal representation by storing an externally mutable object into AttestationObject.largeBlobKey

com.yubico.yubikit.fido.webauthn.AttestedCredentialData.getAaguid() may expose internal representation by returning AttestedCredentialData.aaguid

com.yubico.yubikit.fido.webauthn.AttestedCredentialData.getCosePublicKey() may expose internal representation by returning AttestedCredentialData.cosePublicKey

com.yubico.yubikit.fido.webauthn.AttestedCredentialData.getCredentialId() may expose internal representation by returning AttestedCredentialData.credentialId

new com.yubico.yubikit.fido.webauthn.AttestedCredentialData(byte[], byte[], Map) may expose internal representation by storing an externally mutable object into AttestedCredentialData.aaguid

new com.yubico.yubikit.fido.webauthn.AttestedCredentialData(byte[], byte[], Map) may expose internal representation by storing an externally mutable object into AttestedCredentialData.cosePublicKey

new com.yubico.yubikit.fido.webauthn.AttestedCredentialData(byte[], byte[], Map) may expose internal representation by storing an externally mutable object into AttestedCredentialData.credentialId

com.yubico.yubikit.fido.webauthn.AuthenticatorAssertionResponse.getAuthenticatorData() may expose internal representation by returning AuthenticatorAssertionResponse.authenticatorData

com.yubico.yubikit.fido.webauthn.AuthenticatorAssertionResponse.getSignature() may expose internal representation by returning AuthenticatorAssertionResponse.signature

com.yubico.yubikit.fido.webauthn.AuthenticatorAssertionResponse.getUserHandle() may expose internal representation by returning AuthenticatorAssertionResponse.userHandle

new com.yubico.yubikit.fido.webauthn.AuthenticatorAssertionResponse(byte[], byte[], byte[], byte[]) may expose internal representation by storing an externally mutable object into AuthenticatorAssertionResponse.authenticatorData

new com.yubico.yubikit.fido.webauthn.AuthenticatorAssertionResponse(byte[], byte[], byte[], byte[]) may expose internal representation by storing an externally mutable object into AuthenticatorAssertionResponse.signature

new com.yubico.yubikit.fido.webauthn.AuthenticatorAssertionResponse(byte[], byte[], byte[], byte[]) may expose internal representation by storing an externally mutable object into AuthenticatorAssertionResponse.userHandle

Exception thrown in class com.yubico.yubikit.fido.webauthn.AuthenticatorAttestationResponse at new com.yubico.yubikit.fido.webauthn.AuthenticatorAttestationResponse(byte[], List, AttestationObject) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.

com.yubico.yubikit.fido.webauthn.AuthenticatorAttestationResponse.getAttestationObject() may expose internal representation by returning AuthenticatorAttestationResponse.attestationObject

com.yubico.yubikit.fido.webauthn.AuthenticatorAttestationResponse.getPublicKey() may expose internal representation by returning AuthenticatorAttestationResponse.publicKey

com.yubico.yubikit.fido.webauthn.AuthenticatorAttestationResponse.getTransports() may expose internal representation by returning AuthenticatorAttestationResponse.transports

new com.yubico.yubikit.fido.webauthn.AuthenticatorAttestationResponse(byte[], AuthenticatorData, List, byte[], int, byte[]) may expose internal representation by storing an externally mutable object into AuthenticatorAttestationResponse.attestationObject

new com.yubico.yubikit.fido.webauthn.AuthenticatorAttestationResponse(byte[], AuthenticatorData, List, byte[], int, byte[]) may expose internal representation by storing an externally mutable object into AuthenticatorAttestationResponse.publicKey

new com.yubico.yubikit.fido.webauthn.AuthenticatorAttestationResponse(byte[], AuthenticatorData, List, byte[], int, byte[]) may expose internal representation by storing an externally mutable object into AuthenticatorAttestationResponse.transports

new com.yubico.yubikit.fido.webauthn.AuthenticatorAttestationResponse(byte[], List, AttestationObject) may expose internal representation by storing an externally mutable object into AuthenticatorAttestationResponse.transports

com.yubico.yubikit.fido.webauthn.AuthenticatorData.getBytes() may expose internal representation by returning AuthenticatorData.rawData

com.yubico.yubikit.fido.webauthn.AuthenticatorData.getExtensions() may expose internal representation by returning AuthenticatorData.extensions

com.yubico.yubikit.fido.webauthn.AuthenticatorData.getRpIdHash() may expose internal representation by returning AuthenticatorData.rpIdHash

new com.yubico.yubikit.fido.webauthn.AuthenticatorData(byte[], byte, int, AttestedCredentialData, Map, byte[]) may expose internal representation by storing an externally mutable object into AuthenticatorData.extensions

new com.yubico.yubikit.fido.webauthn.AuthenticatorData(byte[], byte, int, AttestedCredentialData, Map, byte[]) may expose internal representation by storing an externally mutable object into AuthenticatorData.rawData

new com.yubico.yubikit.fido.webauthn.AuthenticatorData(byte[], byte, int, AttestedCredentialData, Map, byte[]) may expose internal representation by storing an externally mutable object into AuthenticatorData.rpIdHash

com.yubico.yubikit.fido.webauthn.AuthenticatorResponse.getClientDataJson() may expose internal representation by returning AuthenticatorResponse.clientDataJson

Suspicious comparison of Boolean references in com.yubico.yubikit.fido.webauthn.AuthenticatorSelectionCriteria.fromMap(Map, SerializationType)

new com.yubico.yubikit.fido.webauthn.PublicKeyCredential(byte[], AuthenticatorResponse) may expose internal representation by storing an externally mutable object into PublicKeyCredential.rawId

com.yubico.yubikit.fido.webauthn.PublicKeyCredentialCreationOptions.getChallenge() may expose internal representation by returning PublicKeyCredentialCreationOptions.challenge

com.yubico.yubikit.fido.webauthn.PublicKeyCredentialCreationOptions.getExcludeCredentials() may expose internal representation by returning PublicKeyCredentialCreationOptions.excludeCredentials

com.yubico.yubikit.fido.webauthn.PublicKeyCredentialCreationOptions.getPubKeyCredParams() may expose internal representation by returning PublicKeyCredentialCreationOptions.pubKeyCredParams

new com.yubico.yubikit.fido.webauthn.PublicKeyCredentialCreationOptions(PublicKeyCredentialRpEntity, PublicKeyCredentialUserEntity, byte[], List, Long, List, AuthenticatorSelectionCriteria, String, Extensions) may expose internal representation by storing an externally mutable object into PublicKeyCredentialCreationOptions.challenge

new com.yubico.yubikit.fido.webauthn.PublicKeyCredentialCreationOptions(PublicKeyCredentialRpEntity, PublicKeyCredentialUserEntity, byte[], List, Long, List, AuthenticatorSelectionCriteria, String, Extensions) may expose internal representation by storing an externally mutable object into PublicKeyCredentialCreationOptions.pubKeyCredParams

com.yubico.yubikit.fido.webauthn.PublicKeyCredentialDescriptor.getId() may expose internal representation by returning PublicKeyCredentialDescriptor.id

com.yubico.yubikit.fido.webauthn.PublicKeyCredentialDescriptor.getTransports() may expose internal representation by returning PublicKeyCredentialDescriptor.transports

new com.yubico.yubikit.fido.webauthn.PublicKeyCredentialDescriptor(String, byte[]) may expose internal representation by storing an externally mutable object into PublicKeyCredentialDescriptor.id

new com.yubico.yubikit.fido.webauthn.PublicKeyCredentialDescriptor(String, byte[], List) may expose internal representation by storing an externally mutable object into PublicKeyCredentialDescriptor.id

new com.yubico.yubikit.fido.webauthn.PublicKeyCredentialDescriptor(String, byte[], List) may expose internal representation by storing an externally mutable object into PublicKeyCredentialDescriptor.transports

com.yubico.yubikit.fido.webauthn.PublicKeyCredentialRequestOptions.getAllowCredentials() may expose internal representation by returning PublicKeyCredentialRequestOptions.allowCredentials

com.yubico.yubikit.fido.webauthn.PublicKeyCredentialRequestOptions.getChallenge() may expose internal representation by returning PublicKeyCredentialRequestOptions.challenge

new com.yubico.yubikit.fido.webauthn.PublicKeyCredentialRequestOptions(byte[], Long, String, List, String, Extensions) may expose internal representation by storing an externally mutable object into PublicKeyCredentialRequestOptions.challenge

com.yubico.yubikit.fido.webauthn.PublicKeyCredentialUserEntity.getId() may expose internal representation by returning PublicKeyCredentialUserEntity.id

new com.yubico.yubikit.fido.webauthn.PublicKeyCredentialUserEntity(String, byte[], String) may expose internal representation by storing an externally mutable object into PublicKeyCredentialUserEntity.id

new com.yubico.yubikit.management.DeviceInfo(DeviceConfig, Integer, Version, FormFactor, Map, boolean, boolean, boolean) may expose internal representation by storing an externally mutable object into DeviceInfo.supportedCapabilities

Exception thrown in class com.yubico.yubikit.management.ManagementSession at new com.yubico.yubikit.management.ManagementSession(FidoConnection) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.

Exception thrown in class com.yubico.yubikit.management.ManagementSession at new com.yubico.yubikit.management.ManagementSession(OtpConnection) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.

Exception thrown in class com.yubico.yubikit.management.ManagementSession at new com.yubico.yubikit.management.ManagementSession(SmartCardConnection) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.

Use of non-localized String.toUpperCase() or String.toLowerCase() in com.yubico.yubikit.oath.CredentialData.decodeSecret(String)

The regular expression "^((\\d+)/)?(([^:]+):)?(.+)$" is vulnerable to a denial of service attack (ReDOS)

Improper handling of Unicode transformations such as case mapping and normalization.

Exception thrown in class com.yubico.yubikit.oath.OathSession at new com.yubico.yubikit.oath.OathSession(SmartCardConnection) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.

Improper handling of Unicode transformations such as case mapping and normalization.

Improper handling of Unicode transformations such as case mapping and normalization.

com.yubico.yubikit.openpgp.ApplicationRelatedData.getGeneralFeatureManagement() may expose internal representation by returning ApplicationRelatedData.generalFeatureManagement

new com.yubico.yubikit.openpgp.ApplicationRelatedData(OpenPgpAid, byte[], ExtendedLengthInfo, EnumSet, DiscretionaryDataObjects) may expose internal representation by storing an externally mutable object into ApplicationRelatedData.generalFeatureManagement

new com.yubico.yubikit.openpgp.ApplicationRelatedData(OpenPgpAid, byte[], ExtendedLengthInfo, EnumSet, DiscretionaryDataObjects) may expose internal representation by storing an externally mutable object into ApplicationRelatedData.historical

new com.yubico.yubikit.openpgp.DiscretionaryDataObjects(ExtendedCapabilities, AlgorithmAttributes, AlgorithmAttributes, AlgorithmAttributes, AlgorithmAttributes, PwStatus, Map, Map, Map, Map, Uif, Uif, Uif, Uif) may expose internal representation by storing an externally mutable object into DiscretionaryDataObjects.caFingerprints

new com.yubico.yubikit.openpgp.DiscretionaryDataObjects(ExtendedCapabilities, AlgorithmAttributes, AlgorithmAttributes, AlgorithmAttributes, AlgorithmAttributes, PwStatus, Map, Map, Map, Map, Uif, Uif, Uif, Uif) may expose internal representation by storing an externally mutable object into DiscretionaryDataObjects.fingerprints

new com.yubico.yubikit.openpgp.DiscretionaryDataObjects(ExtendedCapabilities, AlgorithmAttributes, AlgorithmAttributes, AlgorithmAttributes, AlgorithmAttributes, PwStatus, Map, Map, Map, Map, Uif, Uif, Uif, Uif) may expose internal representation by storing an externally mutable object into DiscretionaryDataObjects.generationTimes

new com.yubico.yubikit.openpgp.DiscretionaryDataObjects(ExtendedCapabilities, AlgorithmAttributes, AlgorithmAttributes, AlgorithmAttributes, AlgorithmAttributes, PwStatus, Map, Map, Map, Map, Uif, Uif, Uif, Uif) may expose internal representation by storing an externally mutable object into DiscretionaryDataObjects.keyInformation

Should com.yubico.yubikit.openpgp.DiscretionaryDataObjects.getCaFingerprint(KeyRef) return a zero length array rather than null?

Should com.yubico.yubikit.openpgp.DiscretionaryDataObjects.getFingerprint(KeyRef) return a zero length array rather than null?

com.yubico.yubikit.openpgp.ExtendedCapabilities.getFlags() may expose internal representation by returning ExtendedCapabilities.flags

new com.yubico.yubikit.openpgp.ExtendedCapabilities(EnumSet, int, int, int, int, boolean, boolean) may expose internal representation by storing an externally mutable object into ExtendedCapabilities.flags

new com.yubico.yubikit.openpgp.Kdf$IterSaltedS2k(Kdf$IterSaltedS2k$HashAlgorithm, int, byte[], byte[], byte[], byte[], byte[]) may expose internal representation by storing an externally mutable object into Kdf$IterSaltedS2k.initialHashAdmin

new com.yubico.yubikit.openpgp.Kdf$IterSaltedS2k(Kdf$IterSaltedS2k$HashAlgorithm, int, byte[], byte[], byte[], byte[], byte[]) may expose internal representation by storing an externally mutable object into Kdf$IterSaltedS2k.initialHashUser

new com.yubico.yubikit.openpgp.Kdf$IterSaltedS2k(Kdf$IterSaltedS2k$HashAlgorithm, int, byte[], byte[], byte[], byte[], byte[]) may expose internal representation by storing an externally mutable object into Kdf$IterSaltedS2k.saltAdmin

new com.yubico.yubikit.openpgp.Kdf$IterSaltedS2k(Kdf$IterSaltedS2k$HashAlgorithm, int, byte[], byte[], byte[], byte[], byte[]) may expose internal representation by storing an externally mutable object into Kdf$IterSaltedS2k.saltReset

new com.yubico.yubikit.openpgp.Kdf$IterSaltedS2k(Kdf$IterSaltedS2k$HashAlgorithm, int, byte[], byte[], byte[], byte[], byte[]) may expose internal representation by storing an externally mutable object into Kdf$IterSaltedS2k.saltUser

Exception thrown in class com.yubico.yubikit.openpgp.OpenPgpSession at new com.yubico.yubikit.openpgp.OpenPgpSession(SmartCardConnection) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.

Overridable method getApplicationRelatedData is called from constructor new com.yubico.yubikit.openpgp.OpenPgpSession(SmartCardConnection).

Use of non-localized String.toUpperCase() or String.toLowerCase() in com.yubico.yubikit.openpgp.PinPolicy.toString()

Use of non-localized String.toUpperCase() or String.toLowerCase() in com.yubico.yubikit.openpgp.Uif.toString()

Exception thrown in class com.yubico.yubikit.piv.ObjectId at new com.yubico.yubikit.piv.ObjectId() will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.

String is modified after validation and not before it. Tricky attackers may pass malicious strings which bypass validation.

Use of RSA cipher without proper padding

Use of RSA cipher without proper padding

Unsafe comparison of hash that are susceptible to timing attack

Unchecked/unconfirmed cast from com.yubico.yubikit.core.keys.PrivateKeyValues to com.yubico.yubikit.core.keys.PrivateKeyValues$Ec in com.yubico.yubikit.piv.PivSession.putKey(Slot, PrivateKeyValues, PinPolicy, TouchPolicy)

Unchecked/unconfirmed cast from com.yubico.yubikit.core.keys.PrivateKeyValues to com.yubico.yubikit.core.keys.PrivateKeyValues$Rsa in com.yubico.yubikit.piv.PivSession.putKey(Slot, PrivateKeyValues, PinPolicy, TouchPolicy)

Exception thrown in class com.yubico.yubikit.piv.PivSession at new com.yubico.yubikit.piv.PivSession(SmartCardConnection) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.

Exception thrown in class com.yubico.yubikit.piv.jca.PivCipherSpi at new com.yubico.yubikit.piv.jca.PivCipherSpi(Callback, Map) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.

Use of RSA cipher without proper padding

Exception thrown in class com.yubico.yubikit.piv.jca.PivEcSignatureSpi$Hashed at new com.yubico.yubikit.piv.jca.PivEcSignatureSpi$Hashed(Callback, String) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.

com.yubico.yubikit.piv.jca.PivKeyManager.getPrivateKey(String) may expose internal representation by returning PivKeyManager.privateKey

new com.yubico.yubikit.piv.jca.PivKeyManager(PivPrivateKey, X509Certificate[]) may expose internal representation by storing an externally mutable object into PivKeyManager.privateKey

Unchecked/unconfirmed cast from java.security.Key to java.security.PrivateKey in com.yubico.yubikit.piv.jca.PivKeyStoreSpi.engineSetKeyEntry(String, Key, char[], Certificate[])

Should com.yubico.yubikit.piv.jca.PivPrivateKey.getEncoded() return a zero length array rather than null?

Use of non-localized String.toUpperCase() or String.toLowerCase() in new com.yubico.yubikit.piv.jca.PivProvider(Callback)

Improper handling of Unicode transformations such as case mapping and normalization.

Exception thrown in class com.yubico.yubikit.piv.jca.PivRsaSignatureSpi at new com.yubico.yubikit.piv.jca.PivRsaSignatureSpi(Callback, Map, String) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.

Use of RSA cipher without proper padding

com.yubico.yubikit.testing.fido.BasicWebAuthnClientTests.testClientCredentialManagement(Ctap2Session, Object[]) makes inefficient use of keySet iterator instead of entrySet iterator

Suspicious comparison of Boolean references in com.yubico.yubikit.testing.fido.EnterpriseAttestationTests.enableEp(Ctap2Session, PinUvAuthProtocol)

This use of org/slf4j/Logger.info(Ljava/lang/String;Ljava/lang/Object;)V might be used to include CRLF characters into log messages

This use of org/slf4j/Logger.info(Ljava/lang/String;Ljava/lang/Object;)V might be used to include CRLF characters into log messages

This use of org/slf4j/Logger.debug(Ljava/lang/String;Ljava/lang/Object;)V might be used to include CRLF characters into log messages

This use of org/slf4j/Logger.debug(Ljava/lang/String;Ljava/lang/Object;)V might be used to include CRLF characters into log messages

This use of org/slf4j/Logger.debug(Ljava/lang/String;Ljava/lang/Object;Ljava/lang/Object;)V might be used to include CRLF characters into log messages

This use of org/slf4j/Logger.debug(Ljava/lang/String;Ljava/lang/Object;)V might be used to include CRLF characters into log messages

This use of org/slf4j/Logger.debug(Ljava/lang/String;Ljava/lang/Object;)V might be used to include CRLF characters into log messages

This use of org/slf4j/Logger.debug(Ljava/lang/String;Ljava/lang/Object;)V might be used to include CRLF characters into log messages

This use of org/slf4j/Logger.debug(Ljava/lang/String;Ljava/lang/Object;)V might be used to include CRLF characters into log messages

This use of org/slf4j/Logger.debug(Ljava/lang/String;Ljava/lang/Object;)V might be used to include CRLF characters into log messages

This use of org/slf4j/Logger.debug(Ljava/lang/String;[Ljava/lang/Object;)V might be used to include CRLF characters into log messages

This use of org/slf4j/Logger.debug(Ljava/lang/String;[Ljava/lang/Object;)V might be used to include CRLF characters into log messages

Unchecked/unconfirmed cast from java.security.PublicKey to java.security.interfaces.ECKey in com.yubico.yubikit.testing.piv.PivTestUtils.ecKeyAgreement(PrivateKey, PublicKey)

Exception thrown in class com.yubico.yubikit.yubiotp.HmacSha1SlotConfiguration at new com.yubico.yubikit.yubiotp.HmacSha1SlotConfiguration(byte[]) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.

This API SHA1 (SHA-1) is not a recommended cryptographic hash function

Exception thrown in class com.yubico.yubikit.yubiotp.StaticPasswordSlotConfiguration at new com.yubico.yubikit.yubiotp.StaticPasswordSlotConfiguration(byte[]) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.

Exception thrown in class com.yubico.yubikit.yubiotp.StaticTicketSlotConfiguration at new com.yubico.yubikit.yubiotp.StaticTicketSlotConfiguration(byte[], byte[], byte[]) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.

Exception thrown in class com.yubico.yubikit.yubiotp.YubiOtpSession at new com.yubico.yubikit.yubiotp.YubiOtpSession(OtpConnection) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.

Exception thrown in class com.yubico.yubikit.yubiotp.YubiOtpSession at new com.yubico.yubikit.yubiotp.YubiOtpSession(SmartCardConnection) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.