Usage of naive Socket class to create SSL Socket

Description

When creating an SSL socket, it is better security practice to use an SSL Socket factory over new Socket() This is because SSLSocketFactory has built-in support for SSL/TLS protocols and other security features, such as encryption and support for the configuration of hostname verification and trust managers.

Remediations

❌ Where possible, avoid creating SSL sockets using java.net.Socket init as there is limited security support

✅ Prefer SSLSocketFactory methods to create SSL sockets, something like

  SSLSocketFactory sslSocketFactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
SSLSocket socket = (SSLSocket) sslSocketFactory.createSocket(socket, host, port, true);

References

Associated CWE

OWASP Top 10

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_socket_init

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_socket_init

Ready to take the next step? Learn more about Bearer Cloud.