Closed pixeebot[bot] closed 1 week ago
Failed conditions
E Security Rating on New Code (required ≥ A)
B Maintainability Rating on New Code (required ≥ A)
See analysis details on SonarCloud
Catch issues before they fail your Quality Gate with our IDE extension SonarLint
I'm confident in this change, but I'm not a maintainer of this project. Do you see any reason not to merge it?
If this change was not helpful, or you have suggestions for improvements, please let me know!
Just a friendly ping to remind you about this change. If there are concerns about it, we'd love to hear about them!
This change may not be a priority right now, so I'll close it. If there was something I could have done better, please let me know!
You can also customize me to make sure I'm working with you in the way you want.
Remediation
This change fixes "Switch JWT calls to versions that enforce signature validity" (id = missing-jwt-signature-check) identified by CodeQL.
Details
This change switches to Json Web Token (JWT) parsing APIs that perform signature validation.
Unfortunately the method names in JWT parsing with the
io.jsonwebtoken.jjwt
library don't convey the risk difference in usage. Although theparseClaimsJws()
andparseClaimsJwt()
methods perform signature validation, theparse()
method does not.Changing out these methods is easy and our changes look something like this:
More reading
* [https://codeql.github.com/codeql-query-help/java/java-missing-jwt-signature-check/](https://codeql.github.com/codeql-query-help/java/java-missing-jwt-signature-check/) * [https://cwe.mitre.org/data/definitions/347.html](https://cwe.mitre.org/data/definitions/347.html)I have additional improvements ready for this repo! If you want to see them, leave the comment:
... and I will open a new PR right away!
🧚🤖 Powered by Pixeebot
Feedback | Community | Docs | Codemod ID: codeql:java/missing-jwt-signature-check