Skip to content

Comments

Fix three CodeQL code scanning alerts: insecure hostname verification and XXE#35

Merged
phaupt merged 2 commits intomainfrom
copilot/fix-code-scanning-issues
Feb 25, 2026
Merged

Fix three CodeQL code scanning alerts: insecure hostname verification and XXE#35
phaupt merged 2 commits intomainfrom
copilot/fix-code-scanning-issues

Conversation

Copy link
Contributor

Copilot AI commented Feb 25, 2026
edited
Loading

Resolves three open CodeQL code scanning alerts across the SOAP and REST client modules.

CWE-297: Insecure hostname verification (2 alerts)

  • SOAP (MssServiceFactory.java): Removed custom NoopHostnameVerifier inner class whose verify() unconditionally returned true. Removed the associated JAXWS_HOSTNAME_VERIFIER constant.
  • REST (ComProtocolHandlerRestImpl.java): Removed usage of Apache's NoopHostnameVerifier.INSTANCE when constructing SSLConnectionSocketFactory. Removed unused import.

Both paths now always use the default secure hostname verifier. When the config flag isHostnameVerification() is false, a warning is logged indicating the setting is ignored.

CWE-611: XXE via TransformerFactory (1 alert)

  • SOAP (SoapTrafficHandler.java): Hardened TransformerFactory used for SOAP message pretty-printing:
TransformerFactory tff = TransformerFactory.newInstance();
tff.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
tff.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/repos/MobileID-Strong-Authentication/mobileid-client-java/code-scanning/alerts
    • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (http block)

If you need me to access, download, or install something from one of these locations, you can either:

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

@phaupt
Fix three code scanning security issues: insecure hostname verificati…
1a1dd12 
…on (CWE-297) and XXE vulnerability (CWE-611)

Co-authored-by: phaupt <4255252+phaupt@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix three code scanning open issues Fix three CodeQL code scanning alerts: insecure hostname verification and XXE Feb 25, 2026
Copilot AI requested a review from phaupt February 25, 2026 05:15
@sonarqubecloud
Copy link

sonarqubecloud bot commented Feb 25, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@phaupt phaupt self-requested a review February 25, 2026 05:21
@phaupt phaupt marked this pull request as ready for review February 25, 2026 05:21
@phaupt phaupt merged commit 7dad6e8 into main Feb 25, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@phaupt phaupt Awaiting requested review from phaupt

Assignees

@phaupt phaupt

Copilot code review Copilot

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@phaupt