Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

The detection for insecure transport DS137138 returns false positives

See original GitHub issue

This is regarding the message for insecure transport (HTTP)

https://github.com/Microsoft/DevSkim/blob/master/guidance/DS137138.md

This seems to come for any use of the word http, which might be too broad.

For example, in the popular JavaScript framework Angular (v2+), there’s a class call Http, which is an Http(s) AJAX client (a wrapper for browser AJAX / fetch functionality).

You’d inject this client in your code in a way a bit like this:


import { Injectable } from '@angular/core';
import { Http } from '@angular/http';

@Injectable()
export class SomeService {
    constructor(private http: Http) {
        // ...
    }
}

however, DevSkim does not like this. It shows the following message for the constructor line above

[Devskim: Finding DS137138]
Insecure URL
Severity: [Moderate]

An HTTP-based URL without TLS was detected.

Fix Guidance: Update to an HTTPS-based URL if possible.

More Info:
https://github.com/Microsoft/DevSkim/blob/master/guidance/DS137138.md

In this case, the constructor line is not creating a URL though. The statement An HTTP-based URL without TLS was detected is incorrect.

Would it make sense to check for http: instead of http here?

Issue Analytics

  • State:closed
  • Created 6 years ago
  • Comments:7 (4 by maintainers)

github_iconTop GitHub Comments

1reaction
joshbwcommented, Jan 2, 2018

Good catch - the suggestion of including the : makes a lot of sense, and this is a pretty easy change.

0reactions
molyviatislcommented, Dec 18, 2018

I am using DevSkim (version 0.3.1) and have the same issue. I am using VS2017 15.9.4. When will the fix be in the VS Marketplace?

Read more comments on GitHub >

github_iconTop Results From Across the Web

QID 150263 Insecure Transport for https false positive
The intention of this QID is to give users information about what links can be requested over HTTP. The QID will test the...
Read more >
Address false positives/negatives in Microsoft Defender for ...
Classify an alert. Alerts can be classified as false positives or true positives in the Microsoft 365 Defender portal. Classifying alerts helps ...
Read more >
Spot False Positives in Static Scans: Insecure Randomness
Those values are used as a source of randomness in a security-sensitive context to transport data when encryption really should be used instead....
Read more >
Insecure transport fortify fix
One example of a way Empty Password could be a false positive is if the input ... tolerance The detection for insecure transport...
Read more >
Reducing the incidence of malformed MIME false positives
The higher the number, the sensitivity lowers and reduces the incidence of false positives. To disable malformed MIME container detection,.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Consider releasing Roslyn Analyzers and Fixers

Next page

[Suggestion] Ignore DS137138 in xml documentation and xml namespaces