Closed pixeebot[bot] closed 3 months ago
Failed conditions
E Security Rating on New Code (required ≥ A)
B Maintainability Rating on New Code (required ≥ A)
See analysis details on SonarCloud
Catch issues before they fail your Quality Gate with our IDE extension SonarLint
I'm confident in this change, but I'm not a maintainer of this project. Do you see any reason not to merge it?
If this change was not helpful, or you have suggestions for improvements, please let me know!
Just a friendly ping to remind you about this change. If there are concerns about it, we'd love to hear about them!
Failed conditions
B Maintainability Rating on New Code (required ≥ A)
E Security Rating on New Code (required ≥ A)
See analysis details on SonarCloud
Catch issues before they fail your Quality Gate with our IDE extension SonarLint
This change may not be a priority right now, so I'll close it. If there was something I could have done better, please let me know!
You can also customize me to make sure I'm working with you in the way you want.
This change switches to Json Web Token (JWT) parsing APIs that perform signature validation.
Unfortunately the method names in JWT parsing with the
io.jsonwebtoken.jjwt
library don't convey the risk difference in usage. Although theparseClaimsJws()
andparseClaimsJwt()
methods perform signature validation, theparse()
method does not.Changing out these methods is easy and our changes look something like this:
More reading
* [https://codeql.github.com/codeql-query-help/java/java-missing-jwt-signature-check/](https://codeql.github.com/codeql-query-help/java/java-missing-jwt-signature-check/) * [https://cwe.mitre.org/data/definitions/347.html](https://cwe.mitre.org/data/definitions/347.html)I have additional improvements ready for this repo! If you want to see them, leave the comment:
... and I will open a new PR right away!
Powered by: pixeebot and CodeQL (codemod ID: codeql:java/missing-jwt-signature-check)