andrewmusselman opened a new issue, #548:
URL: https://github.com/apache/tooling-trusted-releases/issues/548
## Summary
Multiple files use `aiohttp.ClientSession()` without explicit SSL/TLS
configuration, relying on library defaults.
## ASVS Requirements
- 9.1.1, 9.1.2 - TLS certificate verification
## Related Audit Reports
- [Universal Spoofing #401](ASVS/universal-spoofing-401.md) - Sections 2, 3
- [External Access #400](ASVS/external-access-400.md) - Section 14.2.1
## Affected Files
- `atr/datasources/apache.py`
- `atr/sbom/osv.py`
- `atr/sbom/utilities.py`
- `atr/sbom/conformance.py`
- `atr/admin/__init__.py`
- `atr/storage/writers/distributions.py`
- `atr/post/keys.py`
- `atr/util.py`
- `atr/jwtoken.py`
## Recommended Fix
```python
# atr/util.py - add centralized client
import ssl
import aiohttp
def create_secure_ssl_context() -> ssl.SSLContext:
context = ssl.create_default_context()
context.check_hostname = True
context.verify_mode = ssl.CERT_REQUIRED
context.minimum_version = ssl.TLSVersion.TLSv1_2
return context
def create_secure_session() -> aiohttp.ClientSession:
connector = aiohttp.TCPConnector(ssl=create_secure_ssl_context())
return aiohttp.ClientSession(connector=connector)
```
## Acceptance Criteria
- [ ] Centralized `create_secure_session()` utility created
- [ ] All aiohttp usage updated to use secure session
- [ ] TLS failures logged for security monitoring
- [ ] Minimum TLS 1.2 enforced
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
