FP: Use stronger SSL and TLS versions with curl_easy_init()

Clean Code Report False-positive / False-negative...
1

Similar issues when used CURL_SSLVERSION_MAX_DEFAULT.

Code:
curl_easy_setopt(curl_handle, CURLOPT_SSLVERSION, (long)CURL_SSLVERSION_MAX_DEFAULT);

Issue Summary:
SonarQube continues to report vulnerability issue “Use stronger SSL and TLS versions” while using curl library with “curl_easy_init()” function. While using “CURL_SSLVERSION_TLSv1_1” it reported the error. then we migrated to “CURL_SSLVERSION_TLSv1_2” and now the latest version is “CURL_SSLVERSION_TLSv1_3”.

In future the TLSv1_2 and TLSv1_3 may be deprecated, and new version needs to be used. To avoid this issue curl library (libcurl) introduced “CURL_SSLVERSION_MAX_DEFAULT”.

Reference URL: CURLOPT_PROXY_SSLVERSION

Could you please update/fix the SoanrQube to support the CURL_SSLVERSION_MAX_DEFAULT?

2

Hi,

Welcome to the community and thanks for this report!

I’ve moved your post to a new topic since the topic you posted in was >1y old.

Can you please provide the data from the new post topic for this category?

Make sure to read this post before raising a thread here:
How to Report a False-positive / False-negative

Then tell us:

  • What language is this for?
  • Which rule?
  • Why do you believe it’s a false-positive/false-negative?
  • Are you using
    • SonarCloud?
    • SonarQube - which version?
    • SonarLint - which IDE/version?
      • in connected mode with SonarQube or SonarCloud?
  • How can we reproduce the problem? Give us a self-contained snippet of code (formatted text, no screenshots)

 
Thx,
Ann

3
  • What language is this for?
    C++
  • Which rule?
    Use stronger SSL and TLS versions
    Weak SSL/TLS protocols should not be used[cpp:S4423]
  • Why do you believe it’s a false-positive/false-negative?
    The new parameter supported by libcurl.
  • Are you using
    • SonarQube - which version?
      Enterprise Edition Version 10.0 (build 68432)
      • in connected mode with SonarQube or SonarCloud?
        SonarQube
  • How can we reproduce the problem? Give us a self-contained snippet of code (formatted text, no screenshots)
curl_handle = curl_easy_init();
	if (curl_handle) {
		std::string response;
		curl_easy_setopt(curl_handle, CURLOPT_CUSTOMREQUEST, reqobj.getCType());
		curl_easy_setopt(curl_handle, CURLOPT_URL, reqobj.getCURL());
		curl_easy_setopt(curl_handle, CURLOPT_FOLLOWLOCATION, 1L);
		curl_easy_setopt(curl_handle, CURLOPT_DEFAULT_PROTOCOL, reqobj.getCProtocol());
		curl_easy_setopt(curl_handle, CURLOPT_WRITEFUNCTION, curlwrapper::callback);
		curl_easy_setopt(curl_handle, CURLOPT_WRITEDATA, &response);
		curl_easy_setopt(curl_handle, CURLOPT_SSLVERSION, (long)CURL_SSLVERSION_MAX_DEFAULT);
}
1 Like
4

Hi,

Thanks for this.

I believe this is relevant. It should be part of SonarQube 10.3, E.T.A. early-ish November:

CPP-4692 S4423: FP for detection of weak SSL/TLS versions

 
Ann

1 Like