Luke Cwik created BEAM-12833:
--------------------------------
Summary: grpc-testing should be decoupled from beam-vendor-grpc as
a separate test only artifact
Key: BEAM-12833
URL: https://issues.apache.org/jira/browse/BEAM-12833
Project: Beam
Issue Type: Bug
Components: sdk-java-core
Reporter: Luke Cwik
grpc-testing includes potential security flaws as flagged by veracode within
TestUtils.java
Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
(CWE ID 757)
Description
A protocol or its implementation supports interaction between multiple actors
and allows those actors to negotiate which algorithm should be used as a
protection mechanism such as encryption or authentication, but it does not
select the strongest algorithm that is available to both parties.
Effort to Fix: 1 - Trivial implementation error. Fix is up to 5 lines of code.
One hour or less to fix.
Recommendations
Do not support SSLv2 or weak SSL/TLS ciphers (i.e. 56-bit key length or less,
or other inherent weaknesses).
org/apache/beam/vendor/grpc/v1p36p0/io/grpc/testing/TestUtils.java#136
org/apache/beam/vendor/grpc/v1p36p0/io/grpc/internal/testing/TestUtils.java#231
Moving grpc-testing to its own vendored library that can only be brought in at
the test scope would address these security issues. Alternatively fix the
upstream implementations removing the code.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
