Q:When I Use libcurl to connect to the sftp server, SonarQube prompts me to Use stronger SSL and TLS versions at curl_easy_init(), but from what I understand, The libcurl library doesn’t seem to have a way to set the SSH protocol version. How can I avoid this problem?
What language is this for?
C
Which rule?
Weak SSL/TLS protocols should not be usedc:S4423
Why do you believe it’s a false-positive/false-negative?
I use the libcurl library to connect to the SFTP server, so I think there should be other scanning rules to avoid this problem if I can’t set the SSH protocol version
Are you using
SonarQube - Developer Edition v10.6 (92116)
How can we reproduce the problem? Give us a self-contained snippet of code (formatted text, no screenshots)
Here is some of the code:
CURL *curl = NULL;
curl = curl_easy_init();
if(curl)
{
curl_easy_setopt(curl, CURLOPT_URL, remote_file_path_temp);//sftp url
curl_easy_setopt(curl, CURLOPT_USERPWD, url_key);
curl_easy_setopt(curl, CURLOPT_USERNAME, user_account_temp);
curl_easy_setopt(curl, CURLOPT_PASSWORD, user_password_temp);
curl_easy_setopt(curl, CURLOPT_RANGE, temp_str);
curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_callback);
curl_easy_setopt(curl, CURLOPT_WRITEDATA, fp);
curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, connect_time);
curl_easy_setopt(curl, CURLOPT_TIMEOUT, timeout);//default: 0 nerver timeout
curl_easy_setopt(curl, CURLOPT_PROGRESSFUNCTION, my_progress_callback);
curl_easy_setopt(curl, CURLOPT_PROGRESSDATA, NULL);
curl_easy_setopt(curl, CURLOPT_NOPROGRESS, 0L);
curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
curl_easy_setopt(curl, CURLOPT_OPENSOCKETFUNCTION, opensocket);
curl_easy_setopt(curl, CURLOPT_OPENSOCKETDATA, &sockfd);
curl_easy_setopt(curl, CURLOPT_CLOSESOCKETFUNCTION, closecb);
curl_easy_setopt(curl, CURLOPT_CLOSESOCKETDATA, &sockfd);
}