The method is deprecated as a result of issue: CVE-2020-5408. The solution was to deprecate this method. This does not satisfy code analyzers such as Fortify as it could potentially still be used.
I would suggest this method be removed as should not be used anyway.
Method in question: org.springframework.security.crypto.encrypt#queryableText(CharSequence password, CharSequence salt)
Comment From: jzheaux
Thanks for the report, @paruss. Let's take a look at doing this in the 6.x line.
Since the suggested upgrade is not a simple change, removing the method altogether in a minor release may keep organizations on older versions with other problems.
Comment From: paruss
Thanks for the comment and excellent point around minor releases.