Similar issues when used CURL_SSLVERSION_MAX_DEFAULT.
Code:
curl_easy_setopt(curl_handle, CURLOPT_SSLVERSION, (long)CURL_SSLVERSION_MAX_DEFAULT);
Issue Summary:
SonarQube continues to report vulnerability issue “Use stronger SSL and TLS versions” while using curl library with “curl_easy_init()” function. While using “CURL_SSLVERSION_TLSv1_1” it reported the error. then we migrated to “CURL_SSLVERSION_TLSv1_2” and now the latest version is “CURL_SSLVERSION_TLSv1_3”.
In future the TLSv1_2 and TLSv1_3 may be deprecated, and new version needs to be used. To avoid this issue curl library (libcurl) introduced “CURL_SSLVERSION_MAX_DEFAULT”.
Reference URL: CURLOPT_PROXY_SSLVERSION
Could you please update/fix the SoanrQube to support the CURL_SSLVERSION_MAX_DEFAULT?
ganncamp
(G Ann Campbell)
October 19, 2023, 6:11pm
2
Hi,
Welcome to the community and thanks for this report!
I’ve moved your post to a new topic since the topic you posted in was >1y old.
Can you please provide the data from the new post topic for this category?
Make sure to read this post before raising a thread here:
How to Report a False-positive / False-negative
Then tell us:
What language is this for?
Which rule?
Why do you believe it’s a false-positive/false-negative?
Are you using
SonarCloud?
SonarQube - which version?
SonarLint - which IDE/version?
in connected mode with SonarQube or SonarCloud?
How can we reproduce the problem? Give us a self-contained snippet of code (formatted text, no screenshots)
Thx,
Ann
What language is this for?
C++
Which rule?
Use stronger SSL and TLS versions
Weak SSL/TLS protocols should not be used[cpp:S4423]
Why do you believe it’s a false-positive/false-negative?
The new parameter supported by libcurl.
Are you using
SonarQube - which version?
Enterprise Edition Version 10.0 (build 68432)
in connected mode with SonarQube or SonarCloud?
SonarQube
How can we reproduce the problem? Give us a self-contained snippet of code (formatted text, no screenshots)
curl_handle = curl_easy_init();
if (curl_handle) {
std::string response;
curl_easy_setopt(curl_handle, CURLOPT_CUSTOMREQUEST, reqobj.getCType());
curl_easy_setopt(curl_handle, CURLOPT_URL, reqobj.getCURL());
curl_easy_setopt(curl_handle, CURLOPT_FOLLOWLOCATION, 1L);
curl_easy_setopt(curl_handle, CURLOPT_DEFAULT_PROTOCOL, reqobj.getCProtocol());
curl_easy_setopt(curl_handle, CURLOPT_WRITEFUNCTION, curlwrapper::callback);
curl_easy_setopt(curl_handle, CURLOPT_WRITEDATA, &response);
curl_easy_setopt(curl_handle, CURLOPT_SSLVERSION, (long)CURL_SSLVERSION_MAX_DEFAULT);
}
1 Like
ganncamp
(G Ann Campbell)
October 19, 2023, 6:37pm
4
Hi,
Thanks for this.
I believe this is relevant. It should be part of SonarQube 10.3, E.T.A. early-ish November:
CPP-4692 S4423: FP for detection of weak SSL/TLS versions
Ann
1 Like