Weak SSL and TLS versions used in C sources

pauldreikneti · September 7, 2023, 2:22pm

This hits me as well, as of 20230907.
Here is our code, which is correct but still gets a sonar warning on TLS.

We use recent versions of gcc and clang in C++20 mode.


void good_code(const std::string& url, std::chrono::milliseconds timeout)
{
    curl_global_init(CURL_GLOBAL_ALL);

    if (auto curl = curl_easy_init(); curl)
    {
        curl_easy_setopt(curl, CURLOPT_URL, url.c_str());
        curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
        curl_easy_setopt(curl, CURLOPT_POST, 1L);
        curl_easy_setopt(curl, CURLOPT_TIMEOUT_MS, timeout.count());
        curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, &no_output);

        //  ........

        curl_easy_cleanup(curl);
    }

    curl_global_cleanup();

}

ganncamp · September 11, 2023, 1:30pm

Hi @pauldreikneti,

Welcome to the community!

What’s your version of SonarQube? You can find it in the page footer if you’re not certain. Or are you using SonarCloud?

Thx,
Ann

pauldreikneti · September 11, 2023, 1:59pm

hi, thanks!
we use sonarcloud.

pdschbrt · September 13, 2023, 2:46pm

Hi Paul,

Thanks very much for reporting this. I’ve checked the code and can confirm that this is indeed a false positive.

You can find the ticket for addressing the false positive at https://sonarsource.atlassian.net/browse/CPP-4692 so you can track progress.

Best,
Philipp