Weak SSL and TLS versions used in C sources

This hits me as well, as of 20230907.
Here is our code, which is correct but still gets a sonar warning on TLS.

We use recent versions of gcc and clang in C++20 mode.

void good_code(const std::string& url, std::chrono::milliseconds timeout)

    if (auto curl = curl_easy_init(); curl)
        curl_easy_setopt(curl, CURLOPT_URL, url.c_str());
        curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
        curl_easy_setopt(curl, CURLOPT_POST, 1L);
        curl_easy_setopt(curl, CURLOPT_TIMEOUT_MS, timeout.count());
        curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, &no_output);

        //  ........




Hi @pauldreikneti,

Welcome to the community!

What’s your version of SonarQube? You can find it in the page footer if you’re not certain. Or are you using SonarCloud?


hi, thanks!
we use sonarcloud.

Hi Paul,

Thanks very much for reporting this. I’ve checked the code and can confirm that this is indeed a false positive.

You can find the ticket for addressing the false positive at https://sonarsource.atlassian.net/browse/CPP-4692 so you can track progress.


1 Like