Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarQube for IDE
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarQube Cloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube Server

Swift static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your SWIFT code

Pubspec urls should be secure

intentionality - complete

security

Vulnerability

Why is this an issue?

How can I fix it?

More Info

Transport Layer Security (TLS) provides a secure channel between systems communicating over the internet by encrypting the data sent between them. HTTPS uses TLS on top of HTTP to build a secure communication channel.

This secure protocol is essential for the confidentiality and integrity of the communication during supply chain operations. This includes fetching dependencies with the Swift Package Manager (swift package resolve, swift package update, etc.).

The Package.swift manifest file defines the dependencies of a project for the Swift Package Manager. When declaring a package dependency, a URL to its Git repository is specified.

Using the unencrypted HTTP protocol for package dependencies is not generally recommended. It makes the build process vulnerable to man-in-the-middle attacks, which could lead to using compromised dependencies. It is important that HTTPS is used for these repository URIs instead.

What is the potential impact

Man-in-the-middle (MitM) attacks

An attacker can intercept the communication between the client and server, allowing them to modify the data being transmitted.

Supply chain attacks

Without the verification provided by TLS certificates, attackers can redirect package requests to malicious servers that mimic legitimate package repositories.

For example, an attacker could inject malicious code into a package being downloaded, which would compromise the security of the application being built.

This can cause further security breaches inside the organization, but will also affect clients if the malicious code gets added to any products, as a part of a production dependency or as code generated by a tampered development dependency.

Distributing code that (unintentionally) contains backdoors or malware can lead to widespread security vulnerabilities, reputational damage, and potential legal liabilities.

Credential exposure

Sensitive information, such as API keys or user credentials used to interact with the remote package repository, could be exposed during transmission. This could lead to unauthorized access to the application or its data.

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

In-IDE

SaaS

Self-Hosted