Fix code scanning alert - `TrustManager` that accepts all certificates

Question

Fix code scanning alert - `TrustManager` that accepts all certificates

Closed this issue a year ago · 3 comments

Tracking issue for:

https://github.com/bitfireAT/icsx5/security/code-scanning/2

Answer 1 · 2023-07-10T09:13:40.000Z

@rfc2822 @sunkup can you take a look at this? I think it's a false positive, we are filtering and throwing CertificateException

Answer 2 · 2023-07-10T19:19:13.000Z

Yes, it's a false positive, probably caused because our CustomCertManager's checkServerTrusted doesn't throw CertificateException directly, but calls checkCustomTrusted which throws the exception.

However the design of checkServerTrusted and checkCustomTrusted should become improved by bitfireAT/cert4android#12 when we don't need those AIDL callbacks anymore.

Answer 3 · 2023-07-10T21:36:47.000Z

Then I think this can be closed 😉