When encrypting data with the Cipher Block Chaining (CBC) mode an Initialization Vector (IV) is used to randomize the encryption, ie under a given key the same plaintext doesn’t always produce the same ciphertext. The IV doesn’t need to be secret but should be unpredictable to avoid "Chosen-Plaintext Attack".

To generate Initialization Vectors, NIST recommends to use a secure random number generator.

Noncompliant Code Example

public void encrypt(String key, String plainText) throws GeneralSecurityException {
    byte[] bytesIV = "7cVgr5cbdCZVw5WY".getBytes(StandardCharsets.UTF_8); // secondary

    GCMParameterSpec iv = new GCMParameterSpec(128,bytesIV);  // secondary
    SecretKeySpec skeySpec = new SecretKeySpec(key.getBytes(StandardCharsets.UTF_8), "AES");

    Cipher cipher = Cipher.getInstance("AES/CBC/NoPadding");
    cipher.init(Cipher.ENCRYPT_MODE, skeySpec, iv); // Noncompliant
  }

Compliant Solution

public void encrypt(String key, String plainText) throws GeneralSecurityException {
    SecureRandom random = new SecureRandom();
    byte[] bytesIV = new byte[16];
    random.nextBytes(bytesIV); // Random initialization vector

    GCMParameterSpec iv = new GCMParameterSpec(128, bytesIV);
    SecretKeySpec skeySpec = new SecretKeySpec(key.getBytes(StandardCharsets.UTF_8), "AES");

    Cipher cipher = Cipher.getInstance("AES/CBC/NoPadding");
    cipher.init(Cipher.ENCRYPT_MODE, skeySpec, iv);
  }

See

• OWASP Top 10 2021 Category A2 - Cryptographic Failures
• OWASP Top 10 2017 Category A3 - Sensitive Data Exposure
• Mobile AppSec Verification Standard - Cryptography Requirements
• OWASP Mobile Top 10 2016 Category M5 - Insufficient Cryptography
• MITRE, CWE-329 - Not Using an Unpredictable IV with CBC Mode
• NIST, SP-800-38A - Recommendation for Block Cipher Modes of Operation
• Derived from FindSecBugs rule STATIC_IV