SonarCloud is reporting a ‘Using clear-text protocols is security-sensitive’ Security Hotspot even though AWS SES SDK (SES Client - AWS SDK for JavaScript v3) only ever uses HTTPS.
Usually the Transport interface from nodemailer has secure/secured/tls properties but this is not the case for the SES transport, as they are not configurable.
import * as ses from '@aws-sdk/client-ses'
import nodemailer from 'nodemailer'
const sesClient = new ses.SES({ region: AWS_REGION })
const transporter = nodemailer.createTransport({
SES: {
ses: sesClient,
aws: ses,
},
})
Thank you for your feedback and I sincerely apologize for our late response. I will look into the matter and create an internal ticket to resolve this issue. Based on your description of the issue, it is a False Positive.
The next step on our side is to investigate the AWS code to prove that this component is forcing HTTPS. This way we can quickly follow up on the issue in future sprints on this SDK.
Have a great day and thank you for this note. Our support for AWS SES SDK is new, and we really appreciate your feedback!