Java

JAVA.INSEC.HVU : Use of Insecure verify for Hostname (Java)

Summary

A hostname verification method always returns true.

A method is considered to perform hostname verification if it's annotated with @com.juliasoft.julia.checkers.unsafeConnection.VerifiesHostname.

Properties

Class Name Use of Insecure verify for Hostname (Java)
Significance security
Mnemonic JAVA.INSEC.HVU
Categories
CWE CWE:287 Improper Authentication
Availability Available for Java only.

Android Only. Warnings of this class will only be reported in Android code: that is, code that uses the Android API.
Enabling Checks for this warning class are enabled by default. To disable them, add the following WARNING_FILTER rule to the project configuration file. 
WARNING_FILTER += discard class="Use of Insecure verify for Hostname (Java)"

Example 

// AuthenticationVerification.java
package com.juliasoft.julia.tests.checks.unsafeConnection;

import java.io.IOException;
import java.net.InetAddress;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;

import javax.net.SocketFactory;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLSession;
import javax.net.ssl.X509TrustManager;

import android.net.SSLCertificateSocketFactory;
import android.net.SSLSessionCache;

public class AuthenticationVerification {
  public static void verifier(String hostname, SSLSession session) {
      new HostnameVerifier() {
          @Override
          public boolean verify(String hostname, SSLSession session) {
              return true;                            /* Use of Insecure verify for Hostname (Java) warning issued here 
                                                       * - CodeSonar treats HostnameVerifier.verify() method
                                                       *   as annotated with @VerifiesHostname, but here it always returns true
                                                       */
          }
      }.verify(hostname, session);                    /* Insecure verifier Override for Hostname (Java) warning issued here 
                                                       * - invocation of verify() method that always returns true
                                                       */
  }

  public static void manager(X509Certificate[] serverChain, X509Certificate[] clientChain, String authType) throws CertificateException {
      new X509TrustManager() {
          @Override
          public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
                                                      /* Use of Insecure verify for Certificate (Java) warning issued here 
                                                       * - CodeSonar treats X509TrustManager.checkClientTrusted())
                                                       *    as annotated with @ChecksPrincipalTrust, but here it never throws CertificateException
                                                       */
          }

          @Override
          public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
                                                      /* Use of Insecure verify for Certificate (Java) warning issued here 
                                                      * - CodeSonar treats X509TrustManager.checkServerTrusted()
                                                      *   as annotated with @ChecksPrincipalTrust, but here it never throws CertificateException
                                                       */
          }

          @Override
          public X509Certificate[] getAcceptedIssuers() {
              return new X509Certificate[0];
          }
      }.checkServerTrusted(serverChain, authType);    /* Insecure verifier Override for Certificate (Java) warning issued here 
                                                       * - invocation of checkServerTrusted() method that never throws CertificateException
                                                       */
  }

  public static void sockets(SSLSessionCache cache) throws IOException {
      SocketFactory factory = SSLCertificateSocketFactory.getInsecure(100, cache); /* Insecure Socket Factory (Java) warning issued here 
                                                       * - CodeSonar treats SSLCertificateSocketFactory.getInsecure()
                                                       *   as annotated with @YieldsInsecureSSLSocketFactory
                                                       */
      InetAddress addr = InetAddress.getByName("www.juliasoft.com");
      factory.createSocket(addr, 100);                /* Untrusted Network Host (Java) warning issued here 
                                                       * - CodeSonar treats the first parameter to SocketFactory.createSocket()
                                                       *   as annotated with @HostnameToBeVerified, but verification is not performed on addr here 
                                                       */
  }
}

Relevant Configuration File Parameters

The following configuration file parameters affect checks for this warning class.