FP: - Weak SSL/TLS protocols should not be used [c:S4423] - curl with CURL_SSLVERSION_TLSv1_2

randomek · March 3, 2025, 11:38pm

Rule: Weak SSL/TLS protocols should not be used [c:S4423]

Product: SonarQube Cloud

Lang: C/C++/Objective-C

Source code:

request->rawHandle = curl_easy_init();
	request->complete_clb = complete;
	request->progress_clb = progress;
	ETL_curl_easy_setopt(status, request->rawHandle, CURLOPT_USERAGENT, va("%s %s", APP_NAME "/" APP_VERSION, curl_version()));
	ETL_curl_easy_setopt(status, request->rawHandle, CURLOPT_REFERER, referer);
	ETL_curl_easy_setopt(status, request->rawHandle, CURLOPT_URL, remoteName);
	ETL_curl_easy_setopt(status, request->rawHandle, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
// Use stronger SSL and TLS versions

	ETL_curl_easy_setopt(status, request->rawHandle, CURLOPT_WRITEFUNCTION, DL_cb_FWriteFile);
	ETL_curl_easy_setopt(status, request->rawHandle, CURLOPT_WRITEDATA, (void *)request);
	ETL_curl_easy_setopt(status, request->rawHandle, CURLOPT_XFERINFOFUNCTION, DL_cb_Progress);
	ETL_curl_easy_setopt(status, request->rawHandle, CURLOPT_PROGRESSDATA, (void *)request);
	ETL_curl_easy_setopt(status, request->rawHandle, CURLOPT_NOPROGRESS, 0);
	ETL_curl_easy_setopt(status, request->rawHandle, CURLOPT_FAILONERROR, 1);
	ETL_curl_easy_setopt(status, request->rawHandle, CURLOPT_FOLLOWLOCATION, 1);
	ETL_curl_easy_setopt(status, request->rawHandle, CURLOPT_MAXREDIRS, 5);
	ETL_curl_easy_setopt(status, request->rawHandle, CURLOPT_FORBID_REUSE, 1L);

Full source code:

Why do you believe it’s a false-positive/false-negative?

Current description how to fix it:
curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);

Source code:
ETL_curl_easy_setopt(status, request->rawHandle, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);

necto · March 6, 2025, 3:34pm

Hi @randomek and welcome!
Indeed this report looks odd, I am investigating. I’ll get back to this thread once I have a conclusion

necto · March 7, 2025, 11:17am

And here is my conclusion:
It is a false positive caused by automatic analysis approximation. SonarQube Automatic Analysis works without installing precise dependencies of a project and without running any config/cmake/build scripts, so it has to guess many things related to your build. Most of the time it guesses good enough to conduct precise analysis. However, in this case, it has made an incorrect guess, which lead to a false positive. I created a ticket to track it.

In the mean time, I advise you to analyze your project on the CI instead of using automatic analysis. Note, this particular file “qcommon/dl_main_curl.c” is not used in your project, so it will not be analyzed by CI-based analysis that only analyzes the files you use for the build.