You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
/** * @name Android missing certificate pinning * @description Network connections that do not use certificate pinning may allow attackers to eavesdrop on communications. * @kind problem * @problem.severity warning * @security-severity 5.9 * @precision medium * @id java/android/missing-certificate-pinning * @tags security * external/cwe/cwe-295 */import java
import semmle.code.java.security.AndroidCertificatePinningQuery
from DataFlow::Nodenode,stringdomain,stringmsgwheremissingPinning(node,domain)andifdomain=""thenmsg="(no explicitly trusted domains)"elsemsg="("+domain+" is not trusted by a pin)"selectnode,"This network call does not implement certificate pinning. "+msg
HttpRequestBase requestBase;
if (method.equals(HttpMethods.DELETE)) {
requestBase = new HttpDelete(url);
} else if (method.equals(HttpMethods.GET)) {
requestBase = new HttpGet(url);
This network call does not implement certificate pinning. (no explicitly trusted domains)
requestBase = new HttpDelete(url);
} else if (method.equals(HttpMethods.GET)) {
requestBase = new HttpGet(url);
} else if (method.equals(HttpMethods.HEAD)) {
requestBase = new HttpHead(url);
This network call does not implement certificate pinning. (no explicitly trusted domains)
requestBase = new HttpGet(url);
} else if (method.equals(HttpMethods.HEAD)) {
requestBase = new HttpHead(url);
} else if (method.equals(HttpMethods.POST)) {
requestBase = new HttpPost(url);
This network call does not implement certificate pinning. (no explicitly trusted domains)
requestBase = new HttpHead(url);
} else if (method.equals(HttpMethods.POST)) {
requestBase = new HttpPost(url);
} else if (method.equals(HttpMethods.PUT)) {
requestBase = new HttpPut(url);
This network call does not implement certificate pinning. (no explicitly trusted domains)
requestBase = new HttpPost(url);
} else if (method.equals(HttpMethods.PUT)) {
requestBase = new HttpPut(url);
} else if (method.equals(HttpMethods.TRACE)) {
requestBase = new HttpTrace(url);
This network call does not implement certificate pinning. (no explicitly trusted domains)
requestBase = new HttpPut(url);
} else if (method.equals(HttpMethods.TRACE)) {
requestBase = new HttpTrace(url);
} else if (method.equals(HttpMethods.OPTIONS)) {
requestBase = new HttpOptions(url);
This network call does not implement certificate pinning. (no explicitly trusted domains)
HttpRequestBase requestBase;
if (method.equals(HttpMethods.DELETE)) {
requestBase = new HttpDelete(url);
} else if (method.equals(HttpMethods.GET)) {
requestBase = new HttpGet(url);
This network call does not implement certificate pinning. (no explicitly trusted domains)
requestBase = new HttpDelete(url);
} else if (method.equals(HttpMethods.GET)) {
requestBase = new HttpGet(url);
} else if (method.equals(HttpMethods.HEAD)) {
requestBase = new HttpHead(url);
This network call does not implement certificate pinning. (no explicitly trusted domains)
requestBase = new HttpGet(url);
} else if (method.equals(HttpMethods.HEAD)) {
requestBase = new HttpHead(url);
} else if (method.equals(HttpMethods.PATCH)) {
requestBase = new HttpPatch(url);
This network call does not implement certificate pinning. (no explicitly trusted domains)
requestBase = new HttpHead(url);
} else if (method.equals(HttpMethods.PATCH)) {
requestBase = new HttpPatch(url);
} else if (method.equals(HttpMethods.POST)) {
requestBase = new HttpPost(url);
This network call does not implement certificate pinning. (no explicitly trusted domains)
requestBase = new HttpPatch(url);
} else if (method.equals(HttpMethods.POST)) {
requestBase = new HttpPost(url);
} else if (method.equals(HttpMethods.PUT)) {
requestBase = new HttpPut(url);
This network call does not implement certificate pinning. (no explicitly trusted domains)
requestBase = new HttpPost(url);
} else if (method.equals(HttpMethods.PUT)) {
requestBase = new HttpPut(url);
} else if (method.equals(HttpMethods.TRACE)) {
requestBase = new HttpTrace(url);
This network call does not implement certificate pinning. (no explicitly trusted domains)
requestBase = new HttpPut(url);
} else if (method.equals(HttpMethods.TRACE)) {
requestBase = new HttpTrace(url);
} else if (method.equals(HttpMethods.OPTIONS)) {
requestBase = new HttpOptions(url);
This network call does not implement certificate pinning. (no explicitly trusted domains)
public void run() throws Exception {
Request request = new Request.Builder()
.url("http://httpbin.org/delay/2") // This URL is served with a 2 second delay.
.build();
This network call does not implement certificate pinning. (httpbin.org is not trusted by a pin)
public void run() throws Exception {
Request request = new Request.Builder()
.url("http://httpbin.org/delay/2") // This URL is served with a 2 second delay.
.build();
This network call does not implement certificate pinning. (httpbin.org is not trusted by a pin)
public void run() throws Exception {
Request request = new Request.Builder()
.url("http://httpbin.org/delay/1") // This URL is served with a 1 second delay.
.build();
This network call does not implement certificate pinning. (httpbin.org is not trusted by a pin)
Map<Integer, String> map = new ConcurrentHashMap<>();
int maxId = 0;
try (InputStream is = new BufferedInputStream(synsetUrl.openStream());
Scanner scanner = new Scanner(is, StandardCharsets.UTF_8.name())) {
scanner.useDelimiter("item ");
This network call does not implement certificate pinning. (no explicitly trusted domains)
try {
System.out.println("=== PUT " + uri + " ===");
HttpPut request = new HttpPut(uri);
if (payload != null) {
HttpEntity entity = new StringEntity(payload);
This network call does not implement certificate pinning. (no explicitly trusted domains)
try {
System.out.println("=== POST " + uri + " ===");
HttpPost request = new HttpPost(uri);
if (payload != null) {
HttpEntity entity = new StringEntity(payload);
This network call does not implement certificate pinning. (no explicitly trusted domains)
// Send the request to the AWS federation endpoint to get the sign-in token
URLConnection conn = url.openConnection();
BufferedReader bufferReader = new BufferedReader(new InputStreamReader(conn.getInputStream()));
This network call does not implement certificate pinning. (no explicitly trusted domains)
props.setProperty("user", userName);
props.setProperty("password", password);
conn = DriverManager.getConnection(host, props);
// A simple query to retrieve data from the work table.
This network call does not implement certificate pinning. (no explicitly trusted domains)