Details

    • Type: Language-Specification
    • Status: Active
    • Resolution: Unresolved
    • Labels:
      None
    • Impact:
      Unknown 'null' severity
    • Likelihood:
      Unknown 'null' severity

      Description

      Sensitive Code Example

      These clients from Apache commons net libraries are based on unencrypted protocols and are not recommended:

      val telnet = TelnetClient(); // Sensitive
      
      val ftpClient = FTPClient(); // Sensitive
      
      val smtpClient = SMTPClient(); // Sensitive
      

      Unencrypted HTTP connections, when using okhttp library for instance, should be avoided:

      val spec: ConnectionSpec = ConnectionSpec.Builder(ConnectionSpec.CLEARTEXT) // Sensitive
        .build()
      

      Compliant Solution

      Use instead these clients from Apache commons net and JSch/ssh library:

      JSch jsch = JSch(); // Compliant
      
      if(implicit) {
        // implicit mode is considered deprecated but offer the same security than explicit mode
        val ftpsClient = FTPSClient(true); // Compliant
      }
      else {
        val ftpsClient = FTPSClient(); // Compliant
      }
      
      if(implicit) {
        // implicit mode is considered deprecated but offer the same security than explicit mode
        val smtpsClient = SMTPSClient(true); // Compliant
      }
      else {
        val smtpsClient = SMTPSClient(); // Compliant
        smtpsClient.connect("127.0.0.1", 25);
        if (smtpsClient.execTLS()) {
          // commands
        }
      }
      

      Perform HTTP encrypted connections, with okhttp library for instance:

      val spec: ConnectionSpec =ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS) // Compliant
        .build()
      

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            eric.therond Eric Therond
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: