Uploaded image for project: 'SonarKotlin'
  1. SonarKotlin
  2. SONARKT-4

Rule S5527 Server hostnames should be verified during SSL/TLS connections

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.0
    • Component/s: None
    • Labels:

      Description

      New rule to implement

      Like for the same rule in Java, should raise when verify implementation from the HostnameVerifier interface always return true:

      builder.hostnameVerifier(object : HostnameVerifier {
                      override fun verify(hostname: String?, session: SSLSession?): Boolean {
                          return true // Noncompliant (s5527)
                      }
                  })
      
      builder.hostnameVerifier(object : HostnameVerifier {
                      override fun verify(hostname: String?, session: SSLSession?): Boolean { // Compliant
                          if(something()) {
                              return false
                          } else {
                              return true
                          }
                      }
                  })
      

      Code examples: https://github.com/SonarSource/security-expected-issues/pull/418

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              margarita.nedzelska Margarita Nedzelska
              Reporter:
              eric.therond Eric Therond (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Due:
                Created:
                Updated:
                Resolved: