akaila-splunk
commented
11 months ago Hi @ahoang-splunk ,
We replaced the ssl._create_unverified_context() using ssl.create_default_context() as suggested in the security warning along with some other parameters needed to connect successfully with the Splunk server when SSL verification is not enabled. These changes did not raise any warning when we ran the security scan locally.
To ensure that it resolves the security warning, we request you to execute the security scan on your end using the modified code listed below and let us know if it still raises the security warning.
old code (splunklib/bindings.py):
if not verify:
kwargs['context'] = ssl._create_unverified_context()
elif context:
# verify is True in elif branch and context is not None
kwargs['context'] = contextnew code:
if not verify:
ssl_ctx = ssl.create_default_context()
ssl_ctx.check_hostname = False
ssl_ctx.verify_mode = ssl.CERT_NONE
kwargs['context'] = ssl_ctx
elif context:
# verify is True in elif branch and context is not None
kwargs['context'] = context
Describe the bug A clear and concise description of what the bug is. I am using the latest SDK in the Mothership app (available on Splunkbase). I received an error when running a SAST scan flagging the use of ssl._create_unverified_context in splunklib/binding.py on line 1447. The scan gave this error and feedback: "Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use ssl.create_default_context() instead." Is this a valid security concern and if so, can the team implement the fix suggested in the comment above?
To Reproduce Steps to reproduce the behavior:
Logs or Screenshots If applicable, add logs or screenshots to help explain your problem.
Splunk (please complete the following information):
SDK (please complete the following information):