Skip to content

Split WeakHostNameVerification into X509TrustManager and HostnameVerifier

Dinura Seneviratne requested to merge feat/433051/Split-WeakHostNameVerification into main

What does this MR do?

WeakHostNameVerification rule split into two separate rules.

rule-HostnameVerifier:

  • Changed

    - pattern-inside: |
     public boolean verify(...) {
        ...
     }
- pattern: "return true;"

    to

    - pattern: |
     public boolean verify(...) {
        return true;
     }

    for strict pattern matching. Eliminates false positives caused by chained return statements.

  • Created Test File for HostnameVerifier with positive and negative scenarios.

  • Added remediation text.

rule-X509TrustManager

  • Changed

    public X509Certificate[] getAcceptedIssuers() {
     ...
     return null;
}

    to

    public X509Certificate[] getAcceptedIssuers() {
     return null;
}

    to strictly match getAcceptedIssuers which return null in all scenarios. Eliminates false positives caused by chained return statements.

  • Created Test File for X509TrustManagerwith positive and negative scenarios.

  • References to HostnameVerifier

rule-WeakHostNameVerification

  • Removed Rule and Tests
  • Updated Mapping

What are the relevant issue numbers?

Enhance sast-rule java/endpoint/rule-WeakHostNameVerification.yml (#433051) · Issues · GitLab.org / GitLab · GitLab

Edited by Dinura Seneviratne

Merge request reports