Open dmytroKarataiev opened 2 years ago
After upgrading the Android Link SDK from 3.6.0 to 3.6.1, and with the latest 3.10.1, upon executing the Gradle lintProductionRelease
task, we also encountered the following error:
/home/runner/work/android/android/app/org/bouncycastle/est/jcajce/JcaJceUtils$1.class: Error: checkClientTrusted is empty, which could cause insecure network traffic due to trusting arbitrary TLS/SSL certificates presented by peers [TrustAllX509TrustManager]
/home/runner/work/android/android/app/org/bouncycastle/est/jcajce/JcaJceUtils$1.class: Error: checkServerTrusted is empty, which could cause insecure network traffic due to trusting arbitrary TLS/SSL certificates presented by peers [TrustAllX509TrustManager]
/home/runner/work/android/android/app/org/bouncycastle/est/jcajce/JcaJceUtils$2.class: Error: checkClientTrusted is empty, which could cause insecure network traffic due to trusting arbitrary TLS/SSL certificates presented by peers [TrustAllX509TrustManager]
Explanation for issues of type "TrustAllX509TrustManager":
This check looks for X509TrustManager implementations whose
checkServerTrusted or checkClientTrusted methods do nothing (thus trusting
any certificate chain) which could result in insecure network traffic
caused by trusting arbitrary TLS/SSL certificates presented by peers.
Run lintRelease
or lintProductionRelease
Gradle task
Same as comment above, no lint error
It looks like an issue has been filed in the Bouncy Castle repo as well since the error points to JcaJceUtils
Still seeing this issue. Is there any update here?
Any update?
The problem
Lint complains about the dependency from the plaid library:
../../org/bouncycastle/est/jcajce/JcaJceUtils%241.class: checkClientTrusted is empty, which could cause insecure network traffic due to trusting arbitrary TLS/SSL certificates presented by peers ../../org/bouncycastle/est/jcajce/JcaJceUtils%241.class: checkServerTrusted is empty, which could cause insecure network traffic due to trusting arbitrary TLS/SSL certificates presented by peers ../../org/bouncycastle/est/jcajce/JcaJceUtils%242.class: checkClientTrusted is empty, which could cause insecure network traffic due to trusting arbitrary TLS/SSL certificates presented by peers
This check looks for X509TrustManager implementations whose checkServerTrusted or checkClientTrusted methods do nothing (thus trusting any certificate chain) which could result in insecure network traffic caused by trusting arbitrary TLS/SSL certificates presented by peers. To suppress this error, use the issue id "TrustAllX509TrustManager" as explained in the Suppressing Warnings and Errors section.
Steps to Reproduce
On all the recent Plaid version run a lint check and it would raise this lint issue.
Expected Result
No lint issue raised.