Open lupingzhu opened 6 years ago
Still reported an issue as of 3.0.8.
I'm a bit on the fence about this one; part of me thinks it's perfectly reasonable for an application to use the certificate authorities of the host; it's the job of the host to not trust compromised certificate authorities (depending on how you're running the app).
It does however make any code generated using swagger-codegen appear to contain critical vulnerabilities in Fortify, which makes for some awkward conversations with security teams.
Description
[JAVA][ApiClient.java]: Insecure SSL: Overly Broad Certificate Trust
A critical issue was discovered by Fortify in ApiClient.java generated by swagger-codegen:
An SSL/TLS connection is created using the default pre-loaded system Certificate Authorities (CAs), which may allow attackers to intercept encrypted communications by performing man-in-the-middle (MiTM) attacks using certificates signed with compromised root CAs.
Swagger-codegen version
2.3.1
Swagger declaration file content or url
Command line used for generation
swagger-codegen generate
Steps to reproduce
Scan the generated code using Fortify.
Related issues/PRs
NA
Suggest a fix/enhancement
NA