[SONARKT-1] Rule S4423 Weak SSL/TLS protocols should not be used - SonarSource

XML

Word

Printable

Details

Type: New Feature
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 2.0
Component/s: None
Labels:
- Rules

Description

New rule to implement

Like for the same rule in Java, kotlin analyzer should raise when:

an incorrect tls version is used as argument of tlsVersions okhttp method call:

val spec: ConnectionSpec = ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)
                .tlsVersions(TlsVersion.TLS_1_2)
                .build()

incorrect versions to support:

TlsVersion.TLS_1_1
TlsVersion.TLS_1_0

an incorrect tls version is used as argument of sslcontext.getinstance method call:

val sc: SSLContext = SSLContext.getInstance("TLSv1.1") // Noncompliant (s4423)

incorrect versions to support:

SSL
SSLv2
SSLv3
TLSv1
TLSv1.1
DTLSv1.0

Covers some parts of this MSTG section: "Verifying Data Encryption on the Network (MSTG-NETWORK-1 and MSTG-NETWORK-2)"

Attachments

Issue Links

implements

RSPEC-4423 Weak SSL/TLS protocols should not be used

Active

relates to

SONARJAVA-3801 Rule S4423 should support okhttp library

Closed

Activity

People

Assignee:: Margarita Nedzelska

Reporter:: Eric Therond (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Due:: 12/May/21

Created:: 14/Apr/21 12:13 PM

Updated:: 28/May/21 2:54 PM

Resolved:: 05/May/21 4:36 PM