java.lang.security.audit.weak-ssl-context.weak-ssl-context

Verifed by r2c
Community Favorite
profile photo of semgrepsemgrep
Author
121,021
Download Count*

An insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use SSLContext.getInstance("TLSv1.2") for the best security.

Run Locally

Run in CI

Defintion

rules:
  - id: weak-ssl-context
    metadata:
      cwe:
        - "CWE-326: Inadequate Encryption Strength"
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      source_rule_url: https://find-sec-bugs.github.io/bugs.htm#SSL_CONTEXT
      references:
        - https://tools.ietf.org/html/rfc7568
        - https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html
      category: security
      technology:
        - java
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: HIGH
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cryptographic Issues
    message: An insecure SSL context was detected. TLS versions 1.0, 1.1, and all
      SSL versions are considered weak encryption and are deprecated. Use
      SSLContext.getInstance("TLSv1.2") for the best security.
    severity: WARNING
    languages:
      - java
    patterns:
      - pattern-not: SSLContext.getInstance("TLSv1.3")
      - pattern-not: SSLContext.getInstance("TLSv1.2")
      - pattern: SSLContext.getInstance("...")
    fix-regex:
      regex: (.*?)\.getInstance\(.*?\)
      replacement: \1.getInstance("TLSv1.2")

Examples

weak-ssl-context.java

import java.lang.Runtime;

class Cls {

    public Cls() {
        System.out.println("Hello");
    }

    public void test1() {
        // ruleid: weak-ssl-context
        SSLContext ctx = SSLContext.getInstance("SSL");
    }

    public void test2() {
        // ruleid: weak-ssl-context
        SSLContext ctx = SSLContext.getInstance("TLS");
    }

    public void test3() {
        // ruleid: weak-ssl-context
        SSLContext ctx = SSLContext.getInstance("TLSv1");
    }

    public void test4() {
        // ruleid: weak-ssl-context
        SSLContext ctx = SSLContext.getInstance("SSLv3");
    }

    public void test5() {
        // ruleid: weak-ssl-context
        SSLContext ctx = SSLContext.getInstance("TLSv1.1");
    }

    public void test6() {
        // ok: weak-ssl-context
        SSLContext ctx = SSLContext.getInstance("TLSv1.2");
    }

    public void test7() {
        // ok: weak-ssl-context
        SSLContext ctx = SSLContext.getInstance("TLSv1.3");
    }

    public String getSslContext() {
        return "Anything";
    }

    public void test8() {
        // ok: weak-ssl-context
        SSLContext ctx = SSLContext.getInstance(getSslContext());
    }
}