colleend.insecure-transport-javaspring

Community Favorite

r2c

Author

494

Download Count*

LGPL Commons Clause

License

Rule pack for detecting insecure transport in java spring.

Run Locally

Rules (3)

problem-based-packs.insecure-transport.java-spring.bypass-tls-verification.bypass-tls-verification

semgrep

java

Checks for redefinitions of functions that check TLS/SSL certificate verification. This can lead to vulnerabilities, as simple errors in the code can result in lack of proper certificate validation. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks.

problem-based-packs.insecure-transport.java-spring.spring-ftp-request.spring-ftp-request

semgrep

java

Checks for outgoing connections to ftp servers via Spring plugin ftpSessionFactory. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network.

problem-based-packs.insecure-transport.java-spring.spring-http-request.spring-http-request

semgrep

java

Checks for requests sent via Java Spring RestTemplate API to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.