Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarQube for IDE
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarQube Cloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube Server

Dart static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your DART code

Pubspec urls should be secure

intentionality - complete

security

Vulnerability

Why is this an issue?

How can I fix it?

More Info

Transport Layer Security (TLS) provides a secure channel between systems communicating over the internet by encrypting the data sent between them. TLS can be used with http and git URI schemes to build secure https and git+https channels respectively.

These secure protocols are essential for the confidentiality and the integrity of the communication performed when supply chain operations are performed, such as dart pub get, flutter pub get, dart pub upgrade, etc.

In the pubspec.yaml file, which is a file used by several Dart/Flutter commands, there’s a possibility to specify URIs in various attributes: homepage, repository, issue_tracker, dependency repositories, etc.

It is important that secure protocols are used in all these URIs. The https protocol provides an additional layer of security by encrypting the transferred data and verifying the server’s identity.

It is generally recommended not to use http or git URIs that will be used by Dart/Flutter commands to gather external data during any stage of the application build.

What is the potential impact

Man-in-the-middle (MitM) attacks

An attacker can intercept the communication between the client and server, allowing them to modify the data being transmitted.

Supply chain attacks

Without the verification provided by TLS certificates, attackers can redirect package requests to malicious servers that mimic legitimate package repositories.

For example, an attacker could inject malicious code into a package being downloaded, which would compromise the security of the application being built.

This can cause further security breaches inside the organization, but will also affect clients if the malicious code gets added to any products, as a part of a production dependency or as code generated by a tampered development dependency.

Distributing code that (unintentionally) contains backdoors or malware can lead to widespread security vulnerabilities, reputational damage, and potential legal liabilities.

Credential exposure

Sensitive information, such as API keys or user credentials used to interact with the remote package repository, could be exposed during transmission. This could lead to unauthorized access to the application or its data.

Available In:

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

Developer Edition
Available Since
10.8

In-IDE

SaaS

Self-Hosted