Skip to content
/ JSSE_Fortify_SCA_Rules Public

Custom Fortify SCA rules to detect common JSSE certification validation flaws

License

GPL-2.0 license
11 stars 9 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

GDSSecurity/JSSE_Fortify_SCA_Rules

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
sample_code
sample_code
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
audit.fpr
audit.fpr
 
 
jsse_rules.xml
jsse_rules.xml
 
 

Repository files navigation

JSSE_Fortify_SCA_Rules

These rules identify issues in code relying on both JSSE and Apache HTTPClient since they are widely libraries for thick clients and Android apps.

-Over-Permissive Hostname Verifier: the rule is fired when the code declares a HostnameVerifier, and it always returns ‘true’.

-Over-Permissive Trust Manager: the rule is fired when the code declares a TrustManager and if it never throws a CertificateException. Throwing the exception is the way the API manages unexpected conditions.

-Missing Hostname Verification: the rule is fired when the code is using the Low-Level SSLSocket API and does not set a HostnameVerifier.

-Often Misused: Custom HostnameVerifier: the rule is fired when the code is using the High-Level HttpsURLConnection API and it sets a Custom HostnameVerifier.

-Often Misused: Custom SSLSocketFactory: the rule is fired when the code is using the High-Level HttpsURLConnection API and it sets a Custom SSLSocketFactory.

About

Custom Fortify SCA rules to detect common JSSE certification validation flaws

Resources

Readme

License

GPL-2.0 license
Activity
Custom properties

Stars

11 stars

Watchers

87 watching

Forks

9 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages