Recipe Name:
Hibernate: Missing transport-level security: No SSL for database connection
Description:
Use transport level security to connect to the database
Level:
warning
Language:
  • xml
Tags:
  • database
  • security
  • Hibernate
  • framework specific
  • OWASP Top 10
  • TLS
Documentation

A secure communication channel should be used to interact with the database. Otherwise, the contents of messages sent between the application and the database could be sniffed by attackers.

Before
<hibernate-configuration>
    <session-factory>
	...
        <property name = "hibernate.connection.url">
            jdbc:mysql://localhost/test?useSSL=false
        </property>
    </session-factory>
</hibernate-configuration>
After
<hibernate-configuration>
    <session-factory>
	...
        <property name = "hibernate.connection.url">
            jdbc:mysql://localhost/test?useSSL=true
        </property>
    </session-factory>
</hibernate-configuration>
References
Recipe
id: scw:database:hibernate:missing_SSL
version: 10
metadata:
  name: 'Hibernate: Missing transport-level security: No SSL for database connection'
  shortDescription: Use transport level security to connect to the database
  level: warning
  language: xml
  scwCategory: insufficient_transport_layer_protection:communication_over_cleartext_protocol_http
  cweCategory: 319
  enabled: true
  comment: ""
  descriptionFile: descriptions/Hibernate__Missing_transport-level_security__No_SSL_for_database_connection.html
  tags: database;security;Hibernate;framework specific;OWASP Top 10;TLS
search:
  element:
    in:
      file:
        name: hibernate.cfg.xml
        child:
          element:
            tagName:
              is: hibernate-configuration
    attribute:
      anyOf:
      - name:
          is: name
        value: hibernate.connection.url
    text:
      matches: .*useSSL=false.*?
    tagName:
      is: property
availableFixes:
- name: Enable SSL in the connection string
  actions:
  - rewrite:
      to: '{{#sed}}s/useSSL=false/useSSL=true/,{{{ . }}}{{/sed}}'