Detect insecure use of AWS SDK

I recently got SonarQube running on our legacy codebase and it raised a vulnerability for our use of libcurl “Use stronger SSL and TLS versions”. The fix was a single line:

    // Compliant; enables TLSv1.2 / TLSv1.3 version only
    curl_easy_setopt(m_handler, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);

That’s great, but completely separately we also noticed that a developer had left a line in which set the AWS SDK client to HTTP (it uses HTTPS by default):

    Aws::Client::ClientConfiguration clientConfig;
    clientConfig.scheme = Aws::Http::Scheme::HTTP;
    _pS3Client = new Aws::S3::S3Client(Aws::Auth::AWSCredentials(Aws::String(s3_access_key.c_str()),
                                                   Aws::String(s3_secret_access_key.c_str())), clientConfig);

It would be great if SonarQube would raise a similar vulnerability for this code. Also, the AWS SDK is available for multiple languages so I imagine the same problem can exist in all of them.

Hey @Tom_Isaacson2

We’re discussing this internally. Thanks for your patience!

1 Like