TrustManagerFactory relies on default

I am reaching out to you as we conducted an empirical study to understand the nature of cryptographic misuses in enterprise-driven projects on GitHub. During our study, we randomly inspected a few of the misuses. One of the misuses for which we could confirm the finding of the analysis, [CogniCryptSAST](https://github.com/CROSSINGTUD/CryptoAnalysis) is within this project.

- [HttpClientInit](https://github.com/metamx/java-util/blob/master/src/main/java/com/metamx/http/client/HttpClientInit.java#L143): The implementation in line 143 calls the method `TrustManagerFactory.getDefaultAlgorithm()` that relies on defaults and can be altered at runtime [JCA](https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/TrustManagerFactory.html#getDefaultAlgorithm--). Thus, analyses like CogniCryptSAST consider these usages as insecure as the used TrustManager may be insecure. 

We hope that this report helps you and would be glad to get your thoughts on this issue.


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

TrustManagerFactory relies on default #91

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

TrustManagerFactory relies on default #91

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions