Usage of naive Socket class to create SSL Socket

• Rule ID: java_lang_socket_init
• Languages: java
• Source: socket_init.yml

Description

Using the naive Socket class to create SSL sockets compromises security. Creating SSL sockets directly with new Socket() lacks the advanced security features provided by SSLSocketFactory. SSLSocketFactory is designed with SSL/TLS protocols in mind, offering encryption, hostname verification, and trust manager configuration. This makes it a more secure option for creating SSL sockets.

Remediations

• Do not use java.net.Socket init to directly create SSL sockets, because of its limited security capabilities.
• Do utilize SSLSocketFactory to create SSL sockets. This method ensures the use of SSL/TLS protocols and other security enhancements.

  SSLSocketFactory sslSocketFactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
  SSLSocket socket = (SSLSocket) sslSocketFactory.createSocket(socket, host, port, true);

References

• OWASP Transport Layer Security Cheat Sheet

Associated CWE

• CWE-319: Cleartext Transmission of Sensitive Information

OWASP Top 10

• A02:2021 - Cryptographic Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_socket_init

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_socket_init