Uploaded image for project: 'SonarKotlin'
  1. SonarKotlin
  2. SONARKT-1

Rule S4423 Weak SSL/TLS protocols should not be used

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.0
    • Component/s: None
    • Labels:

      Description

      New rule to implement

      Like for the same rule in Java, kotlin analyzer should raise when:

      • an incorrect tls version is used as argument of tlsVersions okhttp method call:
        val spec: ConnectionSpec = ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)
                        .tlsVersions(TlsVersion.TLS_1_2)
                        .build()
        

        incorrect versions to support:

        TlsVersion.TLS_1_1
        TlsVersion.TLS_1_0
        
      • an incorrect tls version is used as argument of sslcontext.getinstance method call:
        val sc: SSLContext = SSLContext.getInstance("TLSv1.1") // Noncompliant (s4423)
        

        incorrect versions to support:

        SSL
        SSLv2
        SSLv3
        TLSv1
        TLSv1.1
        DTLSv1.0
        

      Covers some parts of this MSTG section: "Verifying Data Encryption on the Network (MSTG-NETWORK-1 and MSTG-NETWORK-2)"

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              margarita.nedzelska Margarita Nedzelska
              Reporter:
              eric.therond Eric Therond (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Due:
                Created:
                Updated:
                Resolved: