AWS SES Nodemailer Transport doesn't use clear-text protocol

Product: SonarCloud
Language: Typescript (NodeJS)
Security Hotspot: typescript:S5332

SonarCloud is reporting a ‘Using clear-text protocols is security-sensitive’ Security Hotspot even though AWS SES SDK (SES Client - AWS SDK for JavaScript v3) only ever uses HTTPS.
Usually the Transport interface from nodemailer has secure/secured/tls properties but this is not the case for the SES transport, as they are not configurable.

import * as ses from '@aws-sdk/client-ses'
import nodemailer from 'nodemailer'

const sesClient = new ses.SES({ region: AWS_REGION })
const transporter = nodemailer.createTransport({
  SES: {
    ses: sesClient,
    aws: ses,
  },
})

Link to the Security Hotspot: SonarSource Code Analyzers Rules Explorer

Hello Miguel, and welcome to our community!

Thank you for your feedback and I sincerely apologize for our late response. I will look into the matter and create an internal ticket to resolve this issue. Based on your description of the issue, it is a False Positive.

The next step on our side is to investigate the AWS code to prove that this component is forcing HTTPS. This way we can quickly follow up on the issue in future sprints on this SDK.

Have a great day and thank you for this note. Our support for AWS SES SDK is new, and we really appreciate your feedback!

Loris

Hello Miguel,

This issue is now tracked in SonarJS#3351.

Thanks a lot for your contribution!

Cheers,

Loris

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.