**CogniCrypt and Ruleset used:** v2.7.1 **Simplified jar-file:** [MessageDigestClone.zip](https://github.com/CROSSINGTUD/CryptoAnalysis/files/4415222/MessageDigestClone.zip) **Analyzed code (excerp):** ```java MessageDigest md = MessageDigest.getInstance("SHA-512"); MessageDigest c1; c1 = (MessageDigest) md.clone(); c1.update("ABC".getBytes()); // doesn't change the reported misuse byte[] part1 = c1.digest(); // doesn't change the reported misuse ``` **Observed behaviour:** CogniCrypt reports an *IncompleteOperationError*: ``` in Method: void main(java.lang.String[]) IncompleteOperationError violating CrySL rule for java.security.MessageDigest (on Object #21334a6508c8e9b9d3a43e9e47be125f2820991e8ca23877503bb4947a169144) Operation on object of type java.security.MessageDigest object not completed. Expected call to digest at statement: $r5 = virtualinvoke r1.<java.security.MessageDigest: java.lang.Object clone()>() ``` **Expected behavior:** As `clone()` creates a shallow copy of `md`, `c1` is an alias of `md`. Thus, the operation isn't incomplete and no report is expected. (Already discussed with @kruegers ) However, as `clone()` can also create a deep copy - if implemented - and the byte code handles `md` and `c1` as two separate objects, I am fine with another solution as well.