damccorm opened a new issue, #21020:
URL: https://github.com/apache/beam/issues/21020
grpc-testing includes potential security flaws as flagged by veracode within
TestUtils.java
Selection of Less-Secure Algorithm During Negotiation ('Algorithm
Downgrade') (CWE ID 757)
Description
A protocol or its implementation supports interaction between multiple
actors and allows those actors to negotiate which algorithm should be used as a
protection mechanism such as encryption or authentication, but it does not
select the strongest algorithm that is available to both parties.
Effort to Fix: 1 - Trivial implementation error. Fix is up to 5 lines of
code. One hour or less to fix.
Recommendations
Do not support SSLv2 or weak SSL/TLS ciphers (i.e. 56-bit key length or
less, or other inherent weaknesses).
org/apache/beam/vendor/grpc/v1p36p0/io/grpc/testing/TestUtils.java#136
org/apache/beam/vendor/grpc/v1p36p0/io/grpc/internal/testing/TestUtils.java#231
Moving grpc-testing to its own vendored library that can only be brought in
at the test scope would address these security issues. Alternatively fix the
upstream implementations removing the code.
Imported from Jira
[BEAM-12833](https://issues.apache.org/jira/browse/BEAM-12833). Original Jira
may contain additional context.
Reported by: lcwik.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
