com.yubico.yubikit.android.app.databinding.ActivityMainBinding.getRoot() may expose internal representation by returning ActivityMainBinding.rootView Summary: ...

com.yubico.yubikit.android.app.databinding.AppBarMainBinding.getRoot() may expose internal representation by returning AppBarMainBinding.rootView Summary: ...

com.yubico.yubikit.android.app.databinding.FragmentWebBinding.getRoot() may expose internal representation by returning FragmentWebBinding.rootView Summary: ...

Exception thrown in class com.yubico.yubikit.android.transport.nfc.NfcYubiKeyManager at new com.yubico.yubikit.android.transport.nfc.NfcYubiKeyManager(Context, NfcDispatcher) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. Summary: ...

Exception thrown in class com.yubico.yubikit.android.transport.usb.UsbYubiKeyDevice at new com.yubico.yubikit.android.transport.usb.UsbYubiKeyDevice(UsbManager, UsbDevice) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. Summary: ...

Exception thrown in class com.yubico.yubikit.android.transport.usb.connection.UsbSmartCardConnection at new com.yubico.yubikit.android.transport.usb.connection.UsbSmartCardConnection(UsbDeviceConnection, UsbInterface, UsbEndpoint, UsbEndpoint) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. Summary: ...

Non-null field keyListener is not initialized by new com.yubico.yubikit.android.ui.OtpActivity() Summary: ...

Non-null field action is not initialized by new com.yubico.yubikit.android.ui.YubiKeyPromptActivity() Summary: ...

Non-null field cancelButton is not initialized by new com.yubico.yubikit.android.ui.YubiKeyPromptActivity() Summary: ...

Non-null field enableNfcButton is not initialized by new com.yubico.yubikit.android.ui.YubiKeyPromptActivity() Summary: ...

Non-null field helpTextView is not initialized by new com.yubico.yubikit.android.ui.YubiKeyPromptActivity() Summary: ...

Non-null field yubiKit is not initialized by new com.yubico.yubikit.android.ui.YubiKeyPromptActivity() Summary: ...

Wait not in loop in com.yubico.yubikit.core.application.CommandState.waitForCancel(long) Summary: ...

Exception thrown in class com.yubico.yubikit.core.fido.FidoProtocol at new com.yubico.yubikit.core.fido.FidoProtocol(FidoConnection) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. Summary: ...

This use of org/slf4j/Logger.trace(Ljava/lang/String;)V might be used to include CRLF characters into log messages Summary: ...

This use of org/slf4j/Logger.debug(Ljava/lang/String;)V might be used to include CRLF characters into log messages Summary: ...

This use of org/slf4j/Logger.info(Ljava/lang/String;)V might be used to include CRLF characters into log messages Summary: ...

This use of org/slf4j/Logger.warn(Ljava/lang/String;)V might be used to include CRLF characters into log messages Summary: ...

This use of org/slf4j/Logger.error(Ljava/lang/String;)V might be used to include CRLF characters into log messages Summary: ...

This use of org/slf4j/Logger.trace(Ljava/lang/String;Ljava/lang/Object;)V might be used to include CRLF characters into log messages Summary: ...

This use of org/slf4j/Logger.debug(Ljava/lang/String;Ljava/lang/Object;)V might be used to include CRLF characters into log messages Summary: ...

This use of org/slf4j/Logger.info(Ljava/lang/String;Ljava/lang/Object;)V might be used to include CRLF characters into log messages Summary: ...

This use of org/slf4j/Logger.warn(Ljava/lang/String;Ljava/lang/Object;)V might be used to include CRLF characters into log messages Summary: ...

This use of org/slf4j/Logger.error(Ljava/lang/String;Ljava/lang/Object;)V might be used to include CRLF characters into log messages Summary: ...

This use of org/slf4j/Logger.trace(Ljava/lang/String;Ljava/lang/Object;Ljava/lang/Object;)V might be used to include CRLF characters into log messages Summary: ...

This use of org/slf4j/Logger.debug(Ljava/lang/String;Ljava/lang/Object;Ljava/lang/Object;)V might be used to include CRLF characters into log messages Summary: ...

This use of org/slf4j/Logger.info(Ljava/lang/String;Ljava/lang/Object;Ljava/lang/Object;)V might be used to include CRLF characters into log messages Summary: ...

This use of org/slf4j/Logger.warn(Ljava/lang/String;Ljava/lang/Object;Ljava/lang/Object;)V might be used to include CRLF characters into log messages Summary: ...

This use of org/slf4j/Logger.error(Ljava/lang/String;Ljava/lang/Object;Ljava/lang/Object;)V might be used to include CRLF characters into log messages Summary: ...

This use of org/slf4j/Logger.trace(Ljava/lang/String;[Ljava/lang/Object;)V might be used to include CRLF characters into log messages Summary: ...

This use of org/slf4j/Logger.debug(Ljava/lang/String;[Ljava/lang/Object;)V might be used to include CRLF characters into log messages Summary: ...

This use of org/slf4j/Logger.info(Ljava/lang/String;[Ljava/lang/Object;)V might be used to include CRLF characters into log messages Summary: ...

This use of org/slf4j/Logger.warn(Ljava/lang/String;[Ljava/lang/Object;)V might be used to include CRLF characters into log messages Summary: ...

This use of org/slf4j/Logger.error(Ljava/lang/String;[Ljava/lang/Object;)V might be used to include CRLF characters into log messages Summary: ...

Exception thrown in class com.yubico.yubikit.core.keys.PrivateKeyValues$Rsa at new com.yubico.yubikit.core.keys.PrivateKeyValues$Rsa(BigInteger, BigInteger, BigInteger, BigInteger, BigInteger, BigInteger, BigInteger) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. Summary: ...

Exception thrown in class com.yubico.yubikit.core.keys.PublicKeyValues$Cv25519 at new com.yubico.yubikit.core.keys.PublicKeyValues$Cv25519(EllipticCurveValues, byte[]) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. Summary: ...

Exception thrown in class com.yubico.yubikit.core.keys.PublicKeyValues$Ec at new com.yubico.yubikit.core.keys.PublicKeyValues$Ec(EllipticCurveValues, BigInteger, BigInteger) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. Summary: ...

Exception thrown in class com.yubico.yubikit.core.otp.ChecksumUtils at new com.yubico.yubikit.core.otp.ChecksumUtils() will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. Summary: ...

Use of non-localized String.toUpperCase() or String.toLowerCase() in com.yubico.yubikit.core.otp.Modhex.decode(String) Summary: ...

Exception thrown in class com.yubico.yubikit.core.otp.OtpProtocol at new com.yubico.yubikit.core.otp.OtpProtocol(OtpConnection) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. Summary: ...

Exception thrown in class com.yubico.yubikit.core.smartcard.ApduResponse at new com.yubico.yubikit.core.smartcard.ApduResponse(byte[]) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. Summary: ...

Exception thrown in class com.yubico.yubikit.core.util.RandomUtils at new com.yubico.yubikit.core.util.RandomUtils() will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. Summary: ...

Exception thrown in class com.yubico.yubikit.core.util.StringUtils at new com.yubico.yubikit.core.util.StringUtils() will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. Summary: ...

Exception thrown in class com.yubico.yubikit.fido.client.BasicWebAuthnClient at new com.yubico.yubikit.fido.client.BasicWebAuthnClient(Ctap2Session) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. Summary: ...

com.yubico.yubikit.fido.client.BasicWebAuthnClient.getUserAgentConfiguration() may expose internal representation by returning BasicWebAuthnClient.userAgentConfiguration Summary: ...

com.yubico.yubikit.fido.client.BasicWebAuthnClient$UserAgentConfiguration.setEpSupportedRpIds(List) may expose internal representation by storing an externally mutable object into BasicWebAuthnClient$UserAgentConfiguration.epSupportedRpIds Summary: ...

Dead store to credentialIdMap in com.yubico.yubikit.fido.client.CredentialManager.getCredentials(String) Summary: ...

Do not catch NullPointerException like in com.yubico.yubikit.fido.client.MultipleAssertionsAvailable.getUsers() Summary: ...

Exception thrown in class com.yubico.yubikit.fido.ctap.Config at new com.yubico.yubikit.fido.ctap.Config(Ctap2Session, PinUvAuthProtocol, byte[]) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. Summary: ...

Exception thrown in class com.yubico.yubikit.fido.ctap.CredentialManagement at new com.yubico.yubikit.fido.ctap.CredentialManagement(Ctap2Session, PinUvAuthProtocol, byte[]) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. Summary: ...

new com.yubico.yubikit.fido.ctap.CredentialManagement(Ctap2Session, PinUvAuthProtocol, byte[]) may expose internal representation by storing an externally mutable object into CredentialManagement.pinUvToken Summary: ...

com.yubico.yubikit.fido.ctap.CredentialManagement$CredentialData.getCredentialId() may expose internal representation by returning CredentialManagement$CredentialData.credentialId Summary: ...

com.yubico.yubikit.fido.ctap.CredentialManagement$CredentialData.getPublicKey() may expose internal representation by returning CredentialManagement$CredentialData.publicKey Summary: ...

com.yubico.yubikit.fido.ctap.CredentialManagement$CredentialData.getUser() may expose internal representation by returning CredentialManagement$CredentialData.user Summary: ...

com.yubico.yubikit.fido.ctap.CredentialManagement$RpData.getRp() may expose internal representation by returning CredentialManagement$RpData.rp Summary: ...

com.yubico.yubikit.fido.ctap.CredentialManagement$RpData.getRpIdHash() may expose internal representation by returning CredentialManagement$RpData.rpIdHash Summary: ...

Exception thrown in class com.yubico.yubikit.fido.ctap.Ctap2Session at new com.yubico.yubikit.fido.ctap.Ctap2Session(Version, Ctap2Session$Backend) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. Summary: ...

Exception thrown in class com.yubico.yubikit.fido.ctap.Ctap2Session at new com.yubico.yubikit.fido.ctap.Ctap2Session(FidoConnection) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. Summary: ...

Exception thrown in class com.yubico.yubikit.fido.ctap.Ctap2Session at new com.yubico.yubikit.fido.ctap.Ctap2Session(FidoProtocol) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. Summary: ...

Exception thrown in class com.yubico.yubikit.fido.ctap.Ctap2Session at new com.yubico.yubikit.fido.ctap.Ctap2Session(SmartCardConnection) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. Summary: ...

Exception thrown in class com.yubico.yubikit.fido.ctap.Ctap2Session at new com.yubico.yubikit.fido.ctap.Ctap2Session(SmartCardConnection, Version) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. Summary: ...

Overridable method getInfo is called from constructor new com.yubico.yubikit.fido.ctap.Ctap2Session(Version, Ctap2Session$Backend). Summary: ...

com.yubico.yubikit.fido.ctap.Ctap2Session$AssertionData.getAuthenticatorData() may expose internal representation by returning Ctap2Session$AssertionData.authenticatorData Summary: ...

com.yubico.yubikit.fido.ctap.Ctap2Session$AssertionData.getCredential() may expose internal representation by returning Ctap2Session$AssertionData.credential Summary: ...

com.yubico.yubikit.fido.ctap.Ctap2Session$AssertionData.getSignature() may expose internal representation by returning Ctap2Session$AssertionData.signature Summary: ...

com.yubico.yubikit.fido.ctap.Ctap2Session$AssertionData.getUser() may expose internal representation by returning Ctap2Session$AssertionData.user Summary: ...

com.yubico.yubikit.fido.ctap.Ctap2Session$CredentialData.getAttestationStatement() may expose internal representation by returning Ctap2Session$CredentialData.attestationStatement Summary: ...

com.yubico.yubikit.fido.ctap.Ctap2Session$CredentialData.getAuthenticatorData() may expose internal representation by returning Ctap2Session$CredentialData.authenticatorData Summary: ...

com.yubico.yubikit.fido.ctap.Ctap2Session$CredentialData.getLargeBlobKey() may expose internal representation by returning Ctap2Session$CredentialData.largeBlobKey Summary: ...

com.yubico.yubikit.fido.ctap.Ctap2Session$InfoData.getAaguid() may expose internal representation by returning Ctap2Session$InfoData.aaguid Summary: ...

com.yubico.yubikit.fido.ctap.Ctap2Session$InfoData.getAlgorithms() may expose internal representation by returning Ctap2Session$InfoData.algorithms Summary: ...

com.yubico.yubikit.fido.ctap.Ctap2Session$InfoData.getCertifications() may expose internal representation by returning Ctap2Session$InfoData.certifications Summary: ...

com.yubico.yubikit.fido.ctap.Ctap2Session$InfoData.getExtensions() may expose internal representation by returning Ctap2Session$InfoData.extensions Summary: ...

com.yubico.yubikit.fido.ctap.Ctap2Session$InfoData.getOptions() may expose internal representation by returning Ctap2Session$InfoData.options Summary: ...

com.yubico.yubikit.fido.ctap.Ctap2Session$InfoData.getPinUvAuthProtocols() may expose internal representation by returning Ctap2Session$InfoData.pinUvAuthProtocols Summary: ...

com.yubico.yubikit.fido.ctap.Ctap2Session$InfoData.getTransports() may expose internal representation by returning Ctap2Session$InfoData.transports Summary: ...

com.yubico.yubikit.fido.ctap.Ctap2Session$InfoData.getVendorPrototypeConfigCommands() may expose internal representation by returning Ctap2Session$InfoData.vendorPrototypeConfigCommands Summary: ...

com.yubico.yubikit.fido.ctap.Ctap2Session$InfoData.getVersions() may expose internal representation by returning Ctap2Session$InfoData.versions Summary: ...

Exception thrown in class com.yubico.yubikit.fido.ctap.Hkdf at new com.yubico.yubikit.fido.ctap.Hkdf(String) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. Summary: ...

The cipher does not provide data integrity Summary: ...

The cipher does not provide data integrity Summary: ...

The initialization vector (IV) is not properly generated Summary: ...

The cipher does not provide data integrity Summary: ...

The initialization vector (IV) is not properly generated Summary: ...

com.yubico.yubikit.fido.webauthn.AttestationObject.getAttestationStatement() may expose internal representation by returning AttestationObject.attestationStatement Summary: ...

com.yubico.yubikit.fido.webauthn.AttestationObject.getLargeBlobKey() may expose internal representation by returning AttestationObject.largeBlobKey Summary: ...

new com.yubico.yubikit.fido.webauthn.AttestationObject(String, AuthenticatorData, Map, Boolean, byte[]) may expose internal representation by storing an externally mutable object into AttestationObject.attestationStatement Summary: ...

new com.yubico.yubikit.fido.webauthn.AttestationObject(String, AuthenticatorData, Map, Boolean, byte[]) may expose internal representation by storing an externally mutable object into AttestationObject.largeBlobKey Summary: ...

com.yubico.yubikit.fido.webauthn.AttestedCredentialData.getAaguid() may expose internal representation by returning AttestedCredentialData.aaguid Summary: ...

com.yubico.yubikit.fido.webauthn.AttestedCredentialData.getCosePublicKey() may expose internal representation by returning AttestedCredentialData.cosePublicKey Summary: ...

com.yubico.yubikit.fido.webauthn.AttestedCredentialData.getCredentialId() may expose internal representation by returning AttestedCredentialData.credentialId Summary: ...

new com.yubico.yubikit.fido.webauthn.AttestedCredentialData(byte[], byte[], Map) may expose internal representation by storing an externally mutable object into AttestedCredentialData.aaguid Summary: ...

new com.yubico.yubikit.fido.webauthn.AttestedCredentialData(byte[], byte[], Map) may expose internal representation by storing an externally mutable object into AttestedCredentialData.cosePublicKey Summary: ...

new com.yubico.yubikit.fido.webauthn.AttestedCredentialData(byte[], byte[], Map) may expose internal representation by storing an externally mutable object into AttestedCredentialData.credentialId Summary: ...

com.yubico.yubikit.fido.webauthn.AuthenticatorAssertionResponse.getAuthenticatorData() may expose internal representation by returning AuthenticatorAssertionResponse.authenticatorData Summary: ...

com.yubico.yubikit.fido.webauthn.AuthenticatorAssertionResponse.getSignature() may expose internal representation by returning AuthenticatorAssertionResponse.signature Summary: ...

com.yubico.yubikit.fido.webauthn.AuthenticatorAssertionResponse.getUserHandle() may expose internal representation by returning AuthenticatorAssertionResponse.userHandle Summary: ...

new com.yubico.yubikit.fido.webauthn.AuthenticatorAssertionResponse(byte[], byte[], byte[], byte[]) may expose internal representation by storing an externally mutable object into AuthenticatorAssertionResponse.authenticatorData Summary: ...

new com.yubico.yubikit.fido.webauthn.AuthenticatorAssertionResponse(byte[], byte[], byte[], byte[]) may expose internal representation by storing an externally mutable object into AuthenticatorAssertionResponse.signature Summary: ...

new com.yubico.yubikit.fido.webauthn.AuthenticatorAssertionResponse(byte[], byte[], byte[], byte[]) may expose internal representation by storing an externally mutable object into AuthenticatorAssertionResponse.userHandle Summary: ...

Exception thrown in class com.yubico.yubikit.fido.webauthn.AuthenticatorAttestationResponse at new com.yubico.yubikit.fido.webauthn.AuthenticatorAttestationResponse(byte[], List, AttestationObject) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. Summary: ...

com.yubico.yubikit.fido.webauthn.AuthenticatorAttestationResponse.getAttestationObject() may expose internal representation by returning AuthenticatorAttestationResponse.attestationObject Summary: ...

com.yubico.yubikit.fido.webauthn.AuthenticatorAttestationResponse.getPublicKey() may expose internal representation by returning AuthenticatorAttestationResponse.publicKey Summary: ...

com.yubico.yubikit.fido.webauthn.AuthenticatorAttestationResponse.getTransports() may expose internal representation by returning AuthenticatorAttestationResponse.transports Summary: ...

new com.yubico.yubikit.fido.webauthn.AuthenticatorAttestationResponse(byte[], AuthenticatorData, List, byte[], int, byte[]) may expose internal representation by storing an externally mutable object into AuthenticatorAttestationResponse.attestationObject Summary: ...

new com.yubico.yubikit.fido.webauthn.AuthenticatorAttestationResponse(byte[], AuthenticatorData, List, byte[], int, byte[]) may expose internal representation by storing an externally mutable object into AuthenticatorAttestationResponse.publicKey Summary: ...

new com.yubico.yubikit.fido.webauthn.AuthenticatorAttestationResponse(byte[], AuthenticatorData, List, byte[], int, byte[]) may expose internal representation by storing an externally mutable object into AuthenticatorAttestationResponse.transports Summary: ...

new com.yubico.yubikit.fido.webauthn.AuthenticatorAttestationResponse(byte[], List, AttestationObject) may expose internal representation by storing an externally mutable object into AuthenticatorAttestationResponse.transports Summary: ...

com.yubico.yubikit.fido.webauthn.AuthenticatorData.getBytes() may expose internal representation by returning AuthenticatorData.rawData Summary: ...

com.yubico.yubikit.fido.webauthn.AuthenticatorData.getExtensions() may expose internal representation by returning AuthenticatorData.extensions Summary: ...

com.yubico.yubikit.fido.webauthn.AuthenticatorData.getRpIdHash() may expose internal representation by returning AuthenticatorData.rpIdHash Summary: ...

new com.yubico.yubikit.fido.webauthn.AuthenticatorData(byte[], byte, int, AttestedCredentialData, Map, byte[]) may expose internal representation by storing an externally mutable object into AuthenticatorData.extensions Summary: ...

new com.yubico.yubikit.fido.webauthn.AuthenticatorData(byte[], byte, int, AttestedCredentialData, Map, byte[]) may expose internal representation by storing an externally mutable object into AuthenticatorData.rawData Summary: ...

new com.yubico.yubikit.fido.webauthn.AuthenticatorData(byte[], byte, int, AttestedCredentialData, Map, byte[]) may expose internal representation by storing an externally mutable object into AuthenticatorData.rpIdHash Summary: ...

com.yubico.yubikit.fido.webauthn.AuthenticatorResponse.getClientDataJson() may expose internal representation by returning AuthenticatorResponse.clientDataJson Summary: ...

Suspicious comparison of Boolean references in com.yubico.yubikit.fido.webauthn.AuthenticatorSelectionCriteria.fromMap(Map, SerializationType) Summary: ...

new com.yubico.yubikit.fido.webauthn.PublicKeyCredential(byte[], AuthenticatorResponse) may expose internal representation by storing an externally mutable object into PublicKeyCredential.rawId Summary: ...

com.yubico.yubikit.fido.webauthn.PublicKeyCredentialCreationOptions.getChallenge() may expose internal representation by returning PublicKeyCredentialCreationOptions.challenge Summary: ...

com.yubico.yubikit.fido.webauthn.PublicKeyCredentialCreationOptions.getExcludeCredentials() may expose internal representation by returning PublicKeyCredentialCreationOptions.excludeCredentials Summary: ...

com.yubico.yubikit.fido.webauthn.PublicKeyCredentialCreationOptions.getPubKeyCredParams() may expose internal representation by returning PublicKeyCredentialCreationOptions.pubKeyCredParams Summary: ...

new com.yubico.yubikit.fido.webauthn.PublicKeyCredentialCreationOptions(PublicKeyCredentialRpEntity, PublicKeyCredentialUserEntity, byte[], List, Long, List, AuthenticatorSelectionCriteria, String, Extensions) may expose internal representation by storing an externally mutable object into PublicKeyCredentialCreationOptions.challenge Summary: ...

new com.yubico.yubikit.fido.webauthn.PublicKeyCredentialCreationOptions(PublicKeyCredentialRpEntity, PublicKeyCredentialUserEntity, byte[], List, Long, List, AuthenticatorSelectionCriteria, String, Extensions) may expose internal representation by storing an externally mutable object into PublicKeyCredentialCreationOptions.pubKeyCredParams Summary: ...

com.yubico.yubikit.fido.webauthn.PublicKeyCredentialDescriptor.getId() may expose internal representation by returning PublicKeyCredentialDescriptor.id Summary: ...

com.yubico.yubikit.fido.webauthn.PublicKeyCredentialDescriptor.getTransports() may expose internal representation by returning PublicKeyCredentialDescriptor.transports Summary: ...

new com.yubico.yubikit.fido.webauthn.PublicKeyCredentialDescriptor(String, byte[]) may expose internal representation by storing an externally mutable object into PublicKeyCredentialDescriptor.id Summary: ...

new com.yubico.yubikit.fido.webauthn.PublicKeyCredentialDescriptor(String, byte[], List) may expose internal representation by storing an externally mutable object into PublicKeyCredentialDescriptor.id Summary: ...

new com.yubico.yubikit.fido.webauthn.PublicKeyCredentialDescriptor(String, byte[], List) may expose internal representation by storing an externally mutable object into PublicKeyCredentialDescriptor.transports Summary: ...

com.yubico.yubikit.fido.webauthn.PublicKeyCredentialRequestOptions.getAllowCredentials() may expose internal representation by returning PublicKeyCredentialRequestOptions.allowCredentials Summary: ...

com.yubico.yubikit.fido.webauthn.PublicKeyCredentialRequestOptions.getChallenge() may expose internal representation by returning PublicKeyCredentialRequestOptions.challenge Summary: ...

new com.yubico.yubikit.fido.webauthn.PublicKeyCredentialRequestOptions(byte[], Long, String, List, String, Extensions) may expose internal representation by storing an externally mutable object into PublicKeyCredentialRequestOptions.challenge Summary: ...

com.yubico.yubikit.fido.webauthn.PublicKeyCredentialUserEntity.getId() may expose internal representation by returning PublicKeyCredentialUserEntity.id Summary: ...

new com.yubico.yubikit.fido.webauthn.PublicKeyCredentialUserEntity(String, byte[], String) may expose internal representation by storing an externally mutable object into PublicKeyCredentialUserEntity.id Summary: ...

new com.yubico.yubikit.management.DeviceInfo(DeviceConfig, Integer, Version, FormFactor, Map, boolean, boolean, boolean) may expose internal representation by storing an externally mutable object into DeviceInfo.supportedCapabilities Summary: ...

Exception thrown in class com.yubico.yubikit.management.ManagementSession at new com.yubico.yubikit.management.ManagementSession(FidoConnection) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. Summary: ...

Exception thrown in class com.yubico.yubikit.management.ManagementSession at new com.yubico.yubikit.management.ManagementSession(OtpConnection) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. Summary: ...

Exception thrown in class com.yubico.yubikit.management.ManagementSession at new com.yubico.yubikit.management.ManagementSession(SmartCardConnection) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. Summary: ...

Use of non-localized String.toUpperCase() or String.toLowerCase() in com.yubico.yubikit.oath.CredentialData.decodeSecret(String) Summary: ...

The regular expression "^((\\d+)/)?(([^:]+):)?(.+)$" is vulnerable to a denial of service attack (ReDOS) Summary: ...

Improper handling of Unicode transformations such as case mapping and normalization. Summary: ...

Exception thrown in class com.yubico.yubikit.oath.OathSession at new com.yubico.yubikit.oath.OathSession(SmartCardConnection) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. Summary: ...

Improper handling of Unicode transformations such as case mapping and normalization. Summary: ...

Improper handling of Unicode transformations such as case mapping and normalization. Summary: ...

com.yubico.yubikit.openpgp.ApplicationRelatedData.getGeneralFeatureManagement() may expose internal representation by returning ApplicationRelatedData.generalFeatureManagement Summary: ...

new com.yubico.yubikit.openpgp.ApplicationRelatedData(OpenPgpAid, byte[], ExtendedLengthInfo, EnumSet, DiscretionaryDataObjects) may expose internal representation by storing an externally mutable object into ApplicationRelatedData.generalFeatureManagement Summary: ...

new com.yubico.yubikit.openpgp.ApplicationRelatedData(OpenPgpAid, byte[], ExtendedLengthInfo, EnumSet, DiscretionaryDataObjects) may expose internal representation by storing an externally mutable object into ApplicationRelatedData.historical Summary: ...

new com.yubico.yubikit.openpgp.DiscretionaryDataObjects(ExtendedCapabilities, AlgorithmAttributes, AlgorithmAttributes, AlgorithmAttributes, AlgorithmAttributes, PwStatus, Map, Map, Map, Map, Uif, Uif, Uif, Uif) may expose internal representation by storing an externally mutable object into DiscretionaryDataObjects.caFingerprints Summary: ...

new com.yubico.yubikit.openpgp.DiscretionaryDataObjects(ExtendedCapabilities, AlgorithmAttributes, AlgorithmAttributes, AlgorithmAttributes, AlgorithmAttributes, PwStatus, Map, Map, Map, Map, Uif, Uif, Uif, Uif) may expose internal representation by storing an externally mutable object into DiscretionaryDataObjects.fingerprints Summary: ...

new com.yubico.yubikit.openpgp.DiscretionaryDataObjects(ExtendedCapabilities, AlgorithmAttributes, AlgorithmAttributes, AlgorithmAttributes, AlgorithmAttributes, PwStatus, Map, Map, Map, Map, Uif, Uif, Uif, Uif) may expose internal representation by storing an externally mutable object into DiscretionaryDataObjects.generationTimes Summary: ...

new com.yubico.yubikit.openpgp.DiscretionaryDataObjects(ExtendedCapabilities, AlgorithmAttributes, AlgorithmAttributes, AlgorithmAttributes, AlgorithmAttributes, PwStatus, Map, Map, Map, Map, Uif, Uif, Uif, Uif) may expose internal representation by storing an externally mutable object into DiscretionaryDataObjects.keyInformation Summary: ...

Should com.yubico.yubikit.openpgp.DiscretionaryDataObjects.getCaFingerprint(KeyRef) return a zero length array rather than null? Summary: ...

Should com.yubico.yubikit.openpgp.DiscretionaryDataObjects.getFingerprint(KeyRef) return a zero length array rather than null? Summary: ...

com.yubico.yubikit.openpgp.ExtendedCapabilities.getFlags() may expose internal representation by returning ExtendedCapabilities.flags Summary: ...

new com.yubico.yubikit.openpgp.ExtendedCapabilities(EnumSet, int, int, int, int, boolean, boolean) may expose internal representation by storing an externally mutable object into ExtendedCapabilities.flags Summary: ...

new com.yubico.yubikit.openpgp.Kdf$IterSaltedS2k(Kdf$IterSaltedS2k$HashAlgorithm, int, byte[], byte[], byte[], byte[], byte[]) may expose internal representation by storing an externally mutable object into Kdf$IterSaltedS2k.initialHashAdmin Summary: ...

new com.yubico.yubikit.openpgp.Kdf$IterSaltedS2k(Kdf$IterSaltedS2k$HashAlgorithm, int, byte[], byte[], byte[], byte[], byte[]) may expose internal representation by storing an externally mutable object into Kdf$IterSaltedS2k.initialHashUser Summary: ...

new com.yubico.yubikit.openpgp.Kdf$IterSaltedS2k(Kdf$IterSaltedS2k$HashAlgorithm, int, byte[], byte[], byte[], byte[], byte[]) may expose internal representation by storing an externally mutable object into Kdf$IterSaltedS2k.saltAdmin Summary: ...

new com.yubico.yubikit.openpgp.Kdf$IterSaltedS2k(Kdf$IterSaltedS2k$HashAlgorithm, int, byte[], byte[], byte[], byte[], byte[]) may expose internal representation by storing an externally mutable object into Kdf$IterSaltedS2k.saltReset Summary: ...

new com.yubico.yubikit.openpgp.Kdf$IterSaltedS2k(Kdf$IterSaltedS2k$HashAlgorithm, int, byte[], byte[], byte[], byte[], byte[]) may expose internal representation by storing an externally mutable object into Kdf$IterSaltedS2k.saltUser Summary: ...

Exception thrown in class com.yubico.yubikit.openpgp.OpenPgpSession at new com.yubico.yubikit.openpgp.OpenPgpSession(SmartCardConnection) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. Summary: ...

Overridable method getApplicationRelatedData is called from constructor new com.yubico.yubikit.openpgp.OpenPgpSession(SmartCardConnection). Summary: ...

Use of non-localized String.toUpperCase() or String.toLowerCase() in com.yubico.yubikit.openpgp.PinPolicy.toString() Summary: ...

Use of non-localized String.toUpperCase() or String.toLowerCase() in com.yubico.yubikit.openpgp.Uif.toString() Summary: ...

Exception thrown in class com.yubico.yubikit.piv.ObjectId at new com.yubico.yubikit.piv.ObjectId() will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. Summary: ...

String is modified after validation and not before it. Tricky attackers may pass malicious strings which bypass validation. Summary: ...

Use of RSA cipher without proper padding Summary: ...

Use of RSA cipher without proper padding Summary: ...

Unsafe comparison of hash that are susceptible to timing attack Summary: ...

Unchecked/unconfirmed cast from com.yubico.yubikit.core.keys.PrivateKeyValues to com.yubico.yubikit.core.keys.PrivateKeyValues$Ec in com.yubico.yubikit.piv.PivSession.putKey(Slot, PrivateKeyValues, PinPolicy, TouchPolicy) Summary: ...

Unchecked/unconfirmed cast from com.yubico.yubikit.core.keys.PrivateKeyValues to com.yubico.yubikit.core.keys.PrivateKeyValues$Rsa in com.yubico.yubikit.piv.PivSession.putKey(Slot, PrivateKeyValues, PinPolicy, TouchPolicy) Summary: ...

Exception thrown in class com.yubico.yubikit.piv.PivSession at new com.yubico.yubikit.piv.PivSession(SmartCardConnection) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. Summary: ...

Exception thrown in class com.yubico.yubikit.piv.jca.PivCipherSpi at new com.yubico.yubikit.piv.jca.PivCipherSpi(Callback, Map) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. Summary: ...

Use of RSA cipher without proper padding Summary: ...

Exception thrown in class com.yubico.yubikit.piv.jca.PivEcSignatureSpi$Hashed at new com.yubico.yubikit.piv.jca.PivEcSignatureSpi$Hashed(Callback, String) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. Summary: ...

com.yubico.yubikit.piv.jca.PivKeyManager.getPrivateKey(String) may expose internal representation by returning PivKeyManager.privateKey Summary: ...

new com.yubico.yubikit.piv.jca.PivKeyManager(PivPrivateKey, X509Certificate[]) may expose internal representation by storing an externally mutable object into PivKeyManager.privateKey Summary: ...

Unchecked/unconfirmed cast from java.security.Key to java.security.PrivateKey in com.yubico.yubikit.piv.jca.PivKeyStoreSpi.engineSetKeyEntry(String, Key, char[], Certificate[]) Summary: ...

Should com.yubico.yubikit.piv.jca.PivPrivateKey.getEncoded() return a zero length array rather than null? Summary: ...

Use of non-localized String.toUpperCase() or String.toLowerCase() in new com.yubico.yubikit.piv.jca.PivProvider(Callback) Summary: ...

Improper handling of Unicode transformations such as case mapping and normalization. Summary: ...

Exception thrown in class com.yubico.yubikit.piv.jca.PivRsaSignatureSpi at new com.yubico.yubikit.piv.jca.PivRsaSignatureSpi(Callback, Map, String) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. Summary: ...

Use of RSA cipher without proper padding Summary: ...

com.yubico.yubikit.testing.fido.BasicWebAuthnClientTests.testClientCredentialManagement(Ctap2Session, Object[]) makes inefficient use of keySet iterator instead of entrySet iterator Summary: ...

Suspicious comparison of Boolean references in com.yubico.yubikit.testing.fido.EnterpriseAttestationTests.enableEp(Ctap2Session, PinUvAuthProtocol) Summary: ...

This use of org/slf4j/Logger.info(Ljava/lang/String;Ljava/lang/Object;)V might be used to include CRLF characters into log messages Summary: ...

This use of org/slf4j/Logger.info(Ljava/lang/String;Ljava/lang/Object;)V might be used to include CRLF characters into log messages Summary: ...

This use of org/slf4j/Logger.debug(Ljava/lang/String;Ljava/lang/Object;)V might be used to include CRLF characters into log messages Summary: ...

This use of org/slf4j/Logger.debug(Ljava/lang/String;Ljava/lang/Object;)V might be used to include CRLF characters into log messages Summary: ...

This use of org/slf4j/Logger.debug(Ljava/lang/String;Ljava/lang/Object;Ljava/lang/Object;)V might be used to include CRLF characters into log messages Summary: ...

This use of org/slf4j/Logger.debug(Ljava/lang/String;Ljava/lang/Object;)V might be used to include CRLF characters into log messages Summary: ...

This use of org/slf4j/Logger.debug(Ljava/lang/String;Ljava/lang/Object;)V might be used to include CRLF characters into log messages Summary: ...

This use of org/slf4j/Logger.debug(Ljava/lang/String;Ljava/lang/Object;)V might be used to include CRLF characters into log messages Summary: ...

This use of org/slf4j/Logger.debug(Ljava/lang/String;Ljava/lang/Object;)V might be used to include CRLF characters into log messages Summary: ...

This use of org/slf4j/Logger.debug(Ljava/lang/String;Ljava/lang/Object;)V might be used to include CRLF characters into log messages Summary: ...

This use of org/slf4j/Logger.debug(Ljava/lang/String;[Ljava/lang/Object;)V might be used to include CRLF characters into log messages Summary: ...

This use of org/slf4j/Logger.debug(Ljava/lang/String;[Ljava/lang/Object;)V might be used to include CRLF characters into log messages Summary: ...

Unchecked/unconfirmed cast from java.security.PublicKey to java.security.interfaces.ECKey in com.yubico.yubikit.testing.piv.PivTestUtils.ecKeyAgreement(PrivateKey, PublicKey) Summary: ...

Exception thrown in class com.yubico.yubikit.yubiotp.HmacSha1SlotConfiguration at new com.yubico.yubikit.yubiotp.HmacSha1SlotConfiguration(byte[]) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. Summary: ...

This API SHA1 (SHA-1) is not a recommended cryptographic hash function Summary: ...

Exception thrown in class com.yubico.yubikit.yubiotp.StaticPasswordSlotConfiguration at new com.yubico.yubikit.yubiotp.StaticPasswordSlotConfiguration(byte[]) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. Summary: ...

Exception thrown in class com.yubico.yubikit.yubiotp.StaticTicketSlotConfiguration at new com.yubico.yubikit.yubiotp.StaticTicketSlotConfiguration(byte[], byte[], byte[]) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. Summary: ...

Exception thrown in class com.yubico.yubikit.yubiotp.YubiOtpSession at new com.yubico.yubikit.yubiotp.YubiOtpSession(OtpConnection) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. Summary: ...

Exception thrown in class com.yubico.yubikit.yubiotp.YubiOtpSession at new com.yubico.yubikit.yubiotp.YubiOtpSession(SmartCardConnection) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. Summary: ...