False-positive in Java code with incorrect recommendation

I was just doing a scan for the first time, and it detected 2 issues in my code of the same type. The analysis came back with “opt.semgrep.java.lang.security.audit.weak-ssl-context.weak-ssl-context,” which states “TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use SSLContext.getInstance(“TLSv1.2”) for the best security.” However, the 2 instances of this issue it is referring to are using SSLContext.getInstance(“TLSv1.3”), which is supported since later versions of Java 8 and Java 11, and I am using Java 16. Can this be fixed in the scanner or ignored in the results? If not, then I may need to go with another solution. The full report can be viewed here Sonatype Lift -- Console

Thanks for the feedback @stevenjdh. I’ll investigate with the team to see if there is a better way to handle these for later versions of Java.

In the meantime does the ignoreRules configuration help you by ignoring this particular finding? Configuration Reference

ignoreRules = ["opt.semgrep.java.lang.security.audit.weak-ssl-context.weak-ssl-context"]

Let me know if this helps

@stevenjdh after investigating this we found that Lift is incorrectly looking for “TLS1.3” instead of looking for “TLSv1.3”. We’re working to get a fix into the next update.

1 Like

That is great news, and thanks for the fast response. I’ll wait for the fix.

@stevenjdh The fix is merged and if all goes well with the deployment you should see this live in production early next week. Thanks for bringing this to our attention!

1 Like

The deployment has been complete. If you encounter any other issues, or do not consider this one resolved, then please reach out.

I just ran an analysis now, and I still get the same 2 detected issues. Should I wait longer maybe?

Hurm, grumble grumble. Thank you, I will test with your exact repository and figure out what the delta is here and get back with a fix.

Thanks, let me know if you need anything. Also as a side note, you may see now a lot more than 2 detections, but still the same 2 of interest. This is because I added a docs folder with javadocs and for some reason the .lift.toml config file using the ignore section doesn’t seen to ignore what I put there…most likely something I am doing wrong. I’ll tackle this in another thread.

1 Like

OK, I took a moment and hunted the difference down. It turns out I was mistaken about the deployment. This will get caught by the next deployment which should be early or mid next week.

@tdubuisson thanks, and I can now confirm that the issue is fixed. Thank you everyone for your involvement in getting this resolved.

1 Like

Great to hear. Thank you for being persistent and bringing this to our attention.