mcp-server-semgrep/semgrep-rules/python/lang/security/audit/httpsconnection-detected.yaml

MCP Server for Semgrep Integration - static code analysis with AI

rules:
- id: httpsconnection-detected
  message: >-
    The HTTPSConnection API has changed frequently with minor releases of Python.
    Ensure you are using the API for your version of Python securely.
    For example, Python 3 versions prior to 3.4.3 will not verify SSL certificates
    by default.
    See https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection
    for more information.
  metadata:
    owasp:
    - A03:2017 - Sensitive Data Exposure
    - A07:2021 - Identification and Authentication Failures
    cwe:
    - 'CWE-295: Improper Certificate Validation'
    references:
    - https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection
    category: security
    technology:
    - python
    subcategory:
    - audit
    likelihood: LOW
    impact: LOW
    confidence: LOW
  severity: WARNING
  languages:
  - python
  pattern-either:
  - pattern: httplib.HTTPSConnection(...)
  - pattern: http.client.HTTPSConnection(...)
  - pattern: six.moves.http_client.HTTPSConnection(...)