We are using Fortify for static code analysis. One of the issue reported by Fortify scan is "Often Misused: Authentication". The issue is flagged for all the occurrences of usage of one of the following methods from the class "java.net.InetAddress".
getAddress()
getByName(bindAddress)
getHostName()
getHostAddress()
getCanonicalHostName()
getLocalHost()
getAllByName()
What is the ideal fix for the same?
One possible way is suggested here, i am not sure do we have any other ways to address this issue.
Thanks
The vulnerability is effectively just warning you as a developer not to trust the output from these. One effective way to determine whether a server is who they say they are is with SSL. It sounds like on your application that you are just getting a list of servers and forward authentication request to them. If the user is then connecting via SSL to authenticate with the machines, it probably shouldn't be a problem (as long as connection isn't allowed with self-signed certificates)