== Why is this an issue?

Using ``++Integer.toHexString++`` is a common mistake when converting sequences of bytes into hexadecimal string representations. The problem is that the method trims leading zeroes, which can lead to wrong conversions. For instance a two bytes value of ``++0x4508++`` would be converted into ``++45++`` and ``++8++`` which once concatenated would give ``++0x458++``.

This is particularly damaging when converting hash-codes and could lead to a security vulnerability.


This rule raises an issue when ``++Integer.toHexString++`` is used in any kind of string concatenations.


=== Noncompliant code example

[source,java]
----
MessageDigest md = MessageDigest.getInstance("SHA-256");
byte[] bytes = md.digest(password.getBytes("UTF-8"));

StringBuilder sb = new StringBuilder();
for (byte b : bytes) {
    sb.append(Integer.toHexString( b & 0xFF )); // Noncompliant
}
----


=== Compliant solution

[source,java]
----
MessageDigest md = MessageDigest.getInstance("SHA-256");
byte[] bytes = md.digest(password.getBytes("UTF-8"));

StringBuilder sb = new StringBuilder();
for (byte b : bytes) {
    sb.append(String.format("%02X", b));
}
----


== Resources

* https://cwe.mitre.org/data/definitions/704[MITRE, CWE-704] - Incorrect Type Conversion or Cast
* Derived from FindSecBugs rule https://find-sec-bugs.github.io/bugs.htm#BAD_HEXA_CONVERSION[BAD_HEXA_CONVERSION] 

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Use String.format( "%02X", ...) instead


endif::env-github,rspecator-view[]