Typically, in our situation we use https, and org.apache.http.conn.routing.HttpRoute and org.apache.hc.client5.http.HttpRoute both default to http. Make the security explicitly by requiring a version of the constructor which has the secure boolean.
If we can determine the https was (highly likely) intended to be used, by use of org.apache.http.conn.ssl.SSLConnectionSocketFactory or org.apache.hc.core5.http.nio.ssl.BasicClientTlsStrategy, org.apache.hc.core5.ssl.SSLContextBuilder, or javax.net.ssl.SSLContext,
then this would be a BLOCKER.
So, one rule for expressing it explicitly for clarity and preventing a possible bug, and one for a likely bug.
Probably, this can be a combined rule for version 4 and 5.
Typically, in our situation we use https, and org.apache.http.conn.routing.HttpRoute and org.apache.hc.client5.http.HttpRoute both default to http. Make the security explicitly by requiring a version of the constructor which has the
secureboolean.If we can determine the https was (highly likely) intended to be used, by use of org.apache.http.conn.ssl.SSLConnectionSocketFactory or org.apache.hc.core5.http.nio.ssl.BasicClientTlsStrategy, org.apache.hc.core5.ssl.SSLContextBuilder, or javax.net.ssl.SSLContext, then this would be a BLOCKER.
So, one rule for expressing it explicitly for clarity and preventing a possible bug, and one for a likely bug.
Probably, this can be a combined rule for version 4 and 5.