Versions: sonar-scanner-cli 4.6.2.2472-linux with cfamily
Code:
CURL* curl = curl_easy_init();
if( curl ) {
curl_easy_setopt( curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2 );
// other code
}
I believe the code should not trigger the warning “Weak SSL/TLS protocols should not be used”.
The compliant solution on C static code analysis: Weak SSL/TLS protocols should not be used (quoted below) does not check return value of curl_easy_init()
, I think it is inappropriate. Please check example code on CURLOPT_SSLVERSION .
CURL* curl;
curl = curl_easy_init();
curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
Here is another version of code which triggers the warning too:
CURL* curl = curl_easy_init();
if( !curl ) {
// throw an exception here
}
curl_easy_setopt( curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2 );
// other code
By the way, if possible please help delete my account ‘abit’ from the issue tracker (https://jira.sonarsource.com/browse/CPP) because I thought I should create this false positive report there but actually could do nothing after registered an account.
Thanks.