== How to fix it in Java SE

=== Code examples

include::../../common/fix/code-rationale.adoc[]

==== Noncompliant code example

[source,kotlin,diff-id=1,diff-type=noncompliant]
----
import javax.crypto.spec.PBEParameterSpec

fun hash() {
    val salt = "salty".toByteArray()
    val cipherSpec = PBEParameterSpec(salt, 10000) // Noncompliant
}
----

==== Compliant solution

[source,kotlin,diff-id=1,diff-type=compliant]
----
import java.security.SecureRandom
import javax.crypto.spec.PBEParameterSpec

fun hash() {
    val random = SecureRandom()
    val salt = ByteArray(16)
    random.nextBytes(salt)
    val cipherSpec = PBEParameterSpec(salt, 10000)
}
----

=== How does this work?

include::../../common/fix/salt.adoc[]

Here, the compliant code example ensures the salt is random and has a sufficient
length by calling the `nextBytes` method from the `SecureRandom` class with a
salt buffer of 16 bytes. This class implements a cryptographically secure
pseudo-random number generator.