False-positive in Java code with incorrect recommendation

stevenjdh · August 23, 2021, 1:16am

I was just doing a scan for the first time, and it detected 2 issues in my code of the same type. The analysis came back with “opt.semgrep.java.lang.security.audit.weak-ssl-context.weak-ssl-context,” which states “TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use SSLContext.getInstance(“TLSv1.2”) for the best security.” However, the 2 instances of this issue it is referring to are using SSLContext.getInstance(“TLSv1.3”), which is supported since later versions of Java 8 and Java 11, and I am using Java 16. Can this be fixed in the scanner or ignored in the results? If not, then I may need to go with another solution. The full report can be viewed here Sonatype Lift -- Console

jstephens · August 23, 2021, 6:03pm

Thanks for the feedback @stevenjdh. I’ll investigate with the team to see if there is a better way to handle these for later versions of Java.

In the meantime does the ignoreRules configuration help you by ignoring this particular finding? Configuration Reference

ignoreRules = ["opt.semgrep.java.lang.security.audit.weak-ssl-context.weak-ssl-context"]

Let me know if this helps

jstephens · August 23, 2021, 6:17pm

@stevenjdh after investigating this we found that Lift is incorrectly looking for “TLS1.3” instead of looking for “TLSv1.3”. We’re working to get a fix into the next update.

stevenjdh · August 24, 2021, 6:01am

That is great news, and thanks for the fast response. I’ll wait for the fix.

jstephens · August 27, 2021, 1:37pm

@stevenjdh The fix is merged and if all goes well with the deployment you should see this live in production early next week. Thanks for bringing this to our attention!

tdubuisson · August 30, 2021, 8:02pm

The deployment has been complete. If you encounter any other issues, or do not consider this one resolved, then please reach out.

stevenjdh · August 30, 2021, 10:27pm

I just ran an analysis now, and I still get the same 2 detected issues. Should I wait longer maybe?

tdubuisson · August 30, 2021, 11:14pm

Hurm, grumble grumble. Thank you, I will test with your exact repository and figure out what the delta is here and get back with a fix.

stevenjdh · August 31, 2021, 6:34am

Thanks, let me know if you need anything. Also as a side note, you may see now a lot more than 2 detections, but still the same 2 of interest. This is because I added a docs folder with javadocs and for some reason the .lift.toml config file using the ignore section doesn’t seen to ignore what I put there…most likely something I am doing wrong. I’ll tackle this in another thread.

tdubuisson · September 1, 2021, 10:14pm

OK, I took a moment and hunted the difference down. It turns out I was mistaken about the deployment. This will get caught by the next deployment which should be early or mid next week.

stevenjdh · September 11, 2021, 12:04am

@tdubuisson thanks, and I can now confirm that the issue is fixed. Thank you everyone for your involvement in getting this resolved.

tdubuisson · September 11, 2021, 12:19am

Steven,
Great to hear. Thank you for being persistent and bringing this to our attention.