{"id":37026716,"url":"https://github.com/kosprov/jargon2-backends","last_synced_at":"2026-01-14T03:07:07.113Z","repository":{"id":57725958,"uuid":"115451647","full_name":"kosprov/jargon2-backends","owner":"kosprov","description":"Argon2 implementations for the Jargon2 API","archived":false,"fork":false,"pushed_at":"2019-10-29T08:52:26.000Z","size":569,"stargazers_count":7,"open_issues_count":0,"forks_count":2,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-07-09T14:29:37.054Z","etag":null,"topics":["argon2","jargon2","java","password-hash","password-hasher"],"latest_commit_sha":null,"homepage":null,"language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kosprov.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-12-26T20:08:31.000Z","updated_at":"2019-10-29T08:52:28.000Z","dependencies_parsed_at":"2022-09-02T03:41:47.412Z","dependency_job_id":null,"html_url":"https://github.com/kosprov/jargon2-backends","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/kosprov/jargon2-backends","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kosprov%2Fjargon2-backends","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kosprov%2Fjargon2-backends/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kosprov%2Fjargon2-backends/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kosprov%2Fjargon2-backends/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kosprov","download_url":"https://codeload.github.com/kosprov/jargon2-backends/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kosprov%2Fjargon2-backends/sbom","scorecard":{"id":568097,"data":{"date":"2025-08-11","repo":{"name":"github.com/kosprov/jargon2-backends","commit":"ae2310ec20fa46fdaee3cb284cffac0f8d3427ae"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":2.4,"checks":[{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Code-Review","score":0,"reason":"Found 0/29 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"SAST","score":0,"reason":"no SAST tool detected","details":["Warn: no pull requests merged into dev branch"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Binary-Artifacts","score":5,"reason":"binaries present in source code","details":["Warn: binary detected: jargon2-native-ri-binaries-generic/src/main/resources/darwin/libargon2.dylib:1","Warn: binary detected: jargon2-native-ri-binaries-generic/src/main/resources/linux-x86-64/libargon2.so:1","Warn: binary detected: jargon2-native-ri-binaries-generic/src/main/resources/linux-x86/libargon2.so:1","Warn: binary detected: jargon2-native-ri-binaries-generic/src/main/resources/win32-x86-64/argon2.dll:1","Warn: binary detected: jargon2-native-ri-binaries-generic/src/main/resources/win32-x86/argon2.dll:1"],"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Pinned-Dependencies","score":-1,"reason":"no dependencies found","details":null,"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-20T15:32:20.463Z","repository_id":57725958,"created_at":"2025-08-20T15:32:20.463Z","updated_at":"2025-08-20T15:32:20.463Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28408800,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-14T01:52:23.358Z","status":"online","status_checked_at":"2026-01-14T02:00:06.678Z","response_time":107,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["argon2","jargon2","java","password-hash","password-hasher"],"created_at":"2026-01-14T03:07:06.616Z","updated_at":"2026-01-14T03:07:07.100Z","avatar_url":"https://github.com/kosprov.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Jargon2 Backends: Argon2 implementations for the Jargon2 API \n\n[![Build Status](https://travis-ci.org/kosprov/jargon2-backends.svg?branch=master)](https://travis-ci.org/kosprov/jargon2-backends)\n[![Coverity Scan Build Status](https://scan.coverity.com/projects/14708/badge.svg)](https://scan.coverity.com/projects/kosprov-jargon2-backends)\n[![Maven metadata URI](https://img.shields.io/maven-metadata/v/http/central.maven.org/maven2/com/kosprov/jargon2/jargon2-native-ri-backend/maven-metadata.xml.svg)](https://search.maven.org/#search%7Cga%7C1%7Cg%3A%22com.kosprov.jargon2%22%20AND%20a%3A%22jargon2-native-ri-backend%22)\n[![Quality Gate](https://sonarcloud.io/api/project_badges/measure?project=com.kosprov.jargon2%3Ajargon2-backends\u0026metric=alert_status)](https://sonarcloud.io/dashboard/index/com.kosprov.jargon2:jargon2-backends)\n[![Security Rating](https://sonarcloud.io/api/project_badges/measure?project=com.kosprov.jargon2%3Ajargon2-backends\u0026metric=security_rating)](https://sonarcloud.io/dashboard/index/com.kosprov.jargon2:jargon2-backends)\n[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](/LICENSE)\n\nThis repository aims to be a collection of `com.kosprov.jargon2.spi.Jargon2Backend` SPI implementations, ready to be plugged into the Jargon2 API. Artifacts contain all service provider metadata and can be used by simply adding them into the runtime classpath.\n\n## Security considerations\n\nThis section summarizes any security considerations that come with the use of this library. Make sure you evaluate them before choosing to use any of the Jargon2 backends provided here and visit this section regularly for any updates.\n\n| Item |  Description |\n| ---  | --- |\n| Default backend native library can be bypassed | If you're using the default backend (`jargon2-native-ri-backend`), the shared library it binds to can be overridden by defining one of `-Djna.boot.library.path`, `-Djna.library.path` and `-Djna.nosys` system properties. See [Hardening your environment](#hardening-your-environment) for more details. |\n\n\n## The default backend\n\nCurrently, there is only one implementation named `jargon2-native-ri-backend` that wraps the [Argon2 reference implementation](https://github.com/P-H-C/phc-winner-argon2 \"Argon2 reference implementation repository\"). It's unique characteristic is that it binds directly to the low-level API of the C code. This allows for two distinctive features of the high-level Jargon2 API:\n\n- Ability to set memory lanes and threads independently\n- Leverage Argon2 RI API for keyed-hashing and additional authentication data (AAD)\n\n### Usage\n\nSimply add this dependency:\n\n```xml\n\u003cdependency\u003e\n    \u003cgroupId\u003ecom.kosprov.jargon2\u003c/groupId\u003e\n    \u003cartifactId\u003ejargon2-native-ri-backend\u003c/artifactId\u003e\n    \u003cversion\u003e1.1.1\u003c/version\u003e\n    \u003cscope\u003eruntime\u003c/scope\u003e\n\u003c/dependency\u003e\n```\n\n`jargon2-native-ri-backend` contains `META-INF/services/com.kosprov.jargon2.spi.Jargon2Backend` metadata and is automatically discovered by Jargon2's discovery process. No build time dependency is necessary, so it's recommended to keep `scope` to `runtime`. \n\n### Pre-packaged binaries\n\nTo make adopting Jargon2 as easy as possible, `jargon2-native-ri-backend` has a transitive dependency to `jargon2-native-ri-binaries-generic`, an artifact that contains binaries of the reference implementation. They are available for Windows, Linux and macOS (x86-64 only), so it should work as-is on most systems.\n\nRelease `1.1.1` of `jargon2-native-ri-binaries-generic` contains binaries built from Argon2 release [20171227](https://github.com/P-H-C/phc-winner-argon2/releases/tag/20171227 \"Argon2 RI release 20171227\").\n\n### Using different binaries\n\nThere are at least three reasons why one would need to use different binaries than those included in `jargon2-native-ri-binaries-generic`:\n\n- Custom-built for a particular x86 micro-architecture\n    \n    The reference implementation contains a number of optimizations on the low-level algorithms of Argon2 and Blake2b that utilize SIMD instructions on modern processors. Expect a significant performance boost just by recompiling the C code for your particular CPU type. The gains are bigger if you're hashing with large memory and time costs.\n\n- Different architecture\n\n    Binaries are available only for the x86 architecture, so different processor architectures would need their own binaries.\n    \n- Security patches\n\n    If Argon2 RI releases security patches, you would always have the option to recompile and switch to the patched binaries.\n\nTo change the binaries you have two options:\n\n- Build Argon2 RI and install it as a system library\n\n    `jargon2-native-ri-backend` uses [JNA](https://github.com/java-native-access/jna) to dynamically invoke native code. JNA searches for system libraries first, so installing on `/usr/lib/libargon2.so` will take precedence over the classpath binaries. You can change the search location by setting the `-Djna.library.path` property.\n\n- Tweak Maven dependencies\n\n    If installing native libraries on the host OS is not very convenient, you can package your binaries in a jar and add that to your application. Don't forget to exclude the transitive dependency to `jargon2-native-ri-binaries-generic`.\n    \n    ```xml\n    \u003cdependency\u003e\n        \u003cgroupId\u003ecom.kosprov.jargon2\u003c/groupId\u003e\n        \u003cartifactId\u003ejargon2-native-ri-backend\u003c/artifactId\u003e\n        \u003cversion\u003e1.1.1\u003c/version\u003e\n        \u003cscope\u003eruntime\u003c/scope\u003e\n        \u003cexclusions\u003e\n            \u003c!-- exclude transitive dependency to generic binaries --\u003e\n            \u003cexclusion\u003e\n                \u003cgroupId\u003ecom.kosprov.jargon2\u003c/groupId\u003e\n                \u003cartifactId\u003ejargon2-native-ri-binaries-generic\u003c/artifactId\u003e\n            \u003c/exclusion\u003e\n        \u003c/exclusions\u003e\n    \u003c/dependency\u003e\n    \u003c!-- add dependency to optimized binaries --\u003e\n    \u003cdependency\u003e\n        \u003cgroupId\u003ecom.mycompany.jargon2\u003c/groupId\u003e\n        \u003cartifactId\u003emy-argon2-optimized-binaries\u003c/artifactId\u003e\n        \u003cversion\u003e1.0.0\u003c/version\u003e\n        \u003cscope\u003eruntime\u003c/scope\u003e\n    \u003c/dependency\u003e\n    ```\n    Have a look at `jargon2-native-ri-binaries-generic` to see the folder structure required by JNA.\n    \nIf you're having doubts on which Argon2 binaries are loaded, start the JVM with `-Djna.debug_load=true`.\n\n### Hardening your environment\n\nJNA searches for libraries in locations that can be can be controlled with `-Djna.boot.library.path`, `-Djna.library.path` and `-Djna.nosys` system properties. Keep your security engineers alerted and have them scan or change-detect for improper use of these properties. Make sure they protect them as they would protect JAAS login module or security manager system properties and configuration files. Changing those system properties so that a malicius native library gets loaded, will leak all your user's passwords.\n\nIf you are using SELinux, loading the native library from the classpath (as `jargon2-native-ri-binaries-generic` does) may not work. You would have to install the library in an accessible location. You can also define `-Djna.nounpack=true` to make sure the library is never unpacked from the classpath.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkosprov%2Fjargon2-backends","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkosprov%2Fjargon2-backends","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkosprov%2Fjargon2-backends/lists"}