[
https://issues.apache.org/jira/browse/BEAM-12833?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17475939#comment-17475939
]
Kenneth Knowles commented on BEAM-12833:
----------------------------------------
Fixing upstream makes sense to me.
> grpc-testing should be decoupled from beam-vendor-grpc as a separate test
> only artifact
> ---------------------------------------------------------------------------------------
>
> Key: BEAM-12833
> URL: https://issues.apache.org/jira/browse/BEAM-12833
> Project: Beam
> Issue Type: Bug
> Components: sdk-java-core
> Reporter: Luke Cwik
> Priority: P3
>
> grpc-testing includes potential security flaws as flagged by veracode within
> TestUtils.java
> Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
> (CWE ID 757)
> Description
> A protocol or its implementation supports interaction between multiple actors
> and allows those actors to negotiate which algorithm should be used as a
> protection mechanism such as encryption or authentication, but it does not
> select the strongest algorithm that is available to both parties.
> Effort to Fix: 1 - Trivial implementation error. Fix is up to 5 lines of
> code. One hour or less to fix.
> Recommendations
> Do not support SSLv2 or weak SSL/TLS ciphers (i.e. 56-bit key length or less,
> or other inherent weaknesses).
> org/apache/beam/vendor/grpc/v1p36p0/io/grpc/testing/TestUtils.java#136
> org/apache/beam/vendor/grpc/v1p36p0/io/grpc/internal/testing/TestUtils.java#231
> Moving grpc-testing to its own vendored library that can only be brought in
> at the test scope would address these security issues. Alternatively fix the
> upstream implementations removing the code.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
