Missing or permissive SSL hostname verifier

Description

It is best security practice to always verify the hostname when establishing a SSL/TLS connection. Failure to do so puts your application at risk of man-in-the-middle attacks.

Remediations

❌ Do not use ALLOW_ALL_HOSTNAME_VERIFIER or similar permissive verifiers

Associated CWE

OWASP Top 10

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_ssl_hostname_verifier

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_ssl_hostname_verifier