python.lang.security.audit.insecure-transport.urllib.insecure-request-object.insecure-request-object

rules:
  - id: insecure-request-object
    message: Detected a 'urllib.request.Request()' object using an insecure
      transport protocol, 'http://'. This connection will not be encrypted. Use
      'https://' instead.
    metadata:
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      cwe:
        - "CWE-319: Cleartext Transmission of Sensitive Information"
      references:
        - https://docs.python.org/3/library/urllib.request.html#urllib.request.Request
      category: security
      technology:
        - urllib
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Mishandled Sensitive Information
    severity: WARNING
    languages:
      - python
    fix-regex:
      regex: "[Hh][Tt][Tt][Pp]://"
      replacement: https://
      count: 1
    pattern-either:
      - pattern: urllib.request.Request("=~/[Hh][Tt][Tt][Pp]://.*/", ...)
      - pattern: |
          $URL = "=~/[Hh][Tt][Tt][Pp]://.*/"
          ...
          urllib.request.Request($URL, ...)
      - pattern: |
          def $FUNC(..., $URL = "=~/[Hh][Tt][Tt][Pp]://.*/", ...):
            ...
            urllib.request.Request($URL, ...)