Maheshwar Ligade
Reputation: 6855
Sonar java vulnerability method return true
Below is my code snippet for SSL Hostname verifier. But As I am returning unconditional true from this method. This is countered as a vulnerability by sonar. How I will resolve this one?
SslClient sslClient = SslClient.localhost();
SSLSocketFactory socketFactory = sslClient.socketFactory;
HostnameVerifier hostnameVerifier = new HostnameVerifier() {
@Override public boolean verify(String s, SSLSession session) {
return true;
}
};
I want to know the best way.
Upvotes: 2
Views: 1459
Answers (1)
Andy Turner
Reputation: 140299
Why do you need to return true unconditionally? If that's the vulnerability detected by Sonar, you should either not do it, or document why it is actually safe in this case.
In terms of implementing "some" fix, look at the test cases for the class. It seems that the implementation it wants you to use is:
@Override public boolean verify(String a, SSLSession b) { return a.equalsIgnoreCase(b.getPeerHost()); }
Upvotes: 3
Related Questions
- SonarQube over https
- SonarQube Java path traversal attack
- The return value of "orElseThrow" must be used
- SonarQube warning "Methods returns should not be invariant"
- Solution for following sonar Issue?
- SonarQube is reporting Remove this expression which always evaluates to “true”
- Sonar violation
- SonarQube analysis succeeds but isn't processed by server
- Sonar violation properly sanitized before use in this OS command
- Is critical SonarLint issue S1166 in my Java code a false positive or not?