Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-4423

Weak SSL protocols should not be used

    Details

    • Message:
      Change this code to use a stronger protocol.
    • Highlighting:
      Hide

      SSLContext.getInstance invocation

      Show
      SSLContext.getInstance invocation
    • Default Severity:
      Major
    • Impact:
      Low
    • Likelihood:
      High
    • Default Quality Profiles:
      Sonar way
    • Covered Languages:
      Java, PHP
    • Irrelevant for Languages:
      ABAP, C#, C, C++, Cobol, CSS, Flex, HTML, JavaScript, Objective-C, PL/I, PL/SQL, Python, RPG, Swift, T-SQL, TypeScript, VB.Net, VB6, XML
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      2min
    • Analysis Scope:
      Main Sources
    • Common Rule:
      Yes
    • CWE:
      CWE-327, CWE-326
    • OWASP:
      A3, A6
    • SANS Top 25:
      Porous Defenses
    • FindSecBugs:
      SSL_CONTEXT

      Description

      Not all SSL protocols are created equal and some legacy ones like "SSL", have been proven to be insecure.
      This rule raises an issue when an SSL context is created with an insecure protocol (ie: a protocol different from "TLSv1.2" or "DTLSv1.2").

      See

        Attachments

          Issue Links

          1.
          PHP RSPEC-4715 Language-Specification Active Unassigned
          2.
          Java RSPEC-4716 Language-Specification Active Unassigned

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                jeanchristophe.collet Jean-Christophe Collet (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated: