A false negative about the rule S4423

Belle · October 11, 2025, 8:15am

Context Information:

Java
Rule: S4423
Why do you believe it’s a false-negative?
- The following code example contains a bug that violates rule S4423. At line 6, two weak protocols are used. This case is considered a false negative because the rule should have flagged it but did not.
Version: sonarqube-25.6.0.109173

import java.security.NoSuchAlgorithmException;
import javax.net.ssl.SSLContext;

public class Main {
  public static void main(String[] args) {
    String[] protocols = new String[] {"TLSv1.1", "TLSv1"}; // should report S4423 warings here, but no warnings
    try {
      for (String protocol : protocols) {
        SSLContext context = SSLContext.getInstance(protocol);
        System.out.println(context.getProvider());
      }
    } catch (NoSuchAlgorithmException e) {
        e.printStackTrace();
    }
  }
}

Loris · October 13, 2025, 2:27pm

Hi @Belle,

Thanks a lot for reporting this, it seems like an FN indeed. This might be due to how we modelized loops within the detection logic.

I am going to create the necessary action items to fix this.

Cheers,

Loris

Topic		Replies	Views
Conflicting rules for vulnerable use of Java's SSLContext Report False-positive / False-negative... java , sonarqube	2	5539	October 15, 2018
squid:S1854 Dead stores should be removed - false positive with lambda expressions Report False-positive / False-negative...	2	1402	October 30, 2018
False positive or false negative? I don't care which but consistency would be real nice as a minimum SonarQube Server / Community Build java , sonarqube , security	3	1199	August 31, 2020
False positive on cpp:S4423 and libcurl Report False-positive / False-negative... cfamily	2	957	January 13, 2022
S3242 and S4276 contradict each other SonarQube Server / Community Build java	2	670	July 12, 2021

A false negative about the rule S4423

Related topics