I was just doing a scan for the first time, and it detected 2 issues in my code of the same type. The analysis came back with “opt.semgrep.java.lang.security.audit.weak-ssl-context.weak-ssl-context,” which states “TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use SSLContext.getInstance(“TLSv1.2”) for the best security.” However, the 2 instances of this issue it is referring to are using SSLContext.getInstance(“TLSv1.3”), which is supported since later versions of Java 8 and Java 11, and I am using Java 16. Can this be fixed in the scanner or ignored in the results? If not, then I may need to go with another solution. The full report can be viewed here Sonatype Lift -- Console
Thanks for the feedback @stevenjdh. I’ll investigate with the team to see if there is a better way to handle these for later versions of Java.
In the meantime does the ignoreRules configuration help you by ignoring this particular finding? Configuration Reference
ignoreRules = ["opt.semgrep.java.lang.security.audit.weak-ssl-context.weak-ssl-context"]
Let me know if this helps
@stevenjdh after investigating this we found that Lift is incorrectly looking for “TLS1.3” instead of looking for “TLSv1.3”. We’re working to get a fix into the next update.
That is great news, and thanks for the fast response. I’ll wait for the fix.
@stevenjdh The fix is merged and if all goes well with the deployment you should see this live in production early next week. Thanks for bringing this to our attention!
The deployment has been complete. If you encounter any other issues, or do not consider this one resolved, then please reach out.
I just ran an analysis now, and I still get the same 2 detected issues. Should I wait longer maybe?
Hurm, grumble grumble. Thank you, I will test with your exact repository and figure out what the delta is here and get back with a fix.
Thanks, let me know if you need anything. Also as a side note, you may see now a lot more than 2 detections, but still the same 2 of interest. This is because I added a docs folder with javadocs and for some reason the .lift.toml config file using the ignore section doesn’t seen to ignore what I put there…most likely something I am doing wrong. I’ll tackle this in another thread.
OK, I took a moment and hunted the difference down. It turns out I was mistaken about the deployment. This will get caught by the next deployment which should be early or mid next week.
@tdubuisson thanks, and I can now confirm that the issue is fixed. Thank you everyone for your involvement in getting this resolved.
Steven,
Great to hear. Thank you for being persistent and bringing this to our attention.