Scala Deprecated Defaulthttpclient Use
Description
This detector identifies usage of the deprecated Apache DefaultHttpClient class in Scala code. The DefaultHttpClient was deprecated due to security vulnerabilities and lack of support for modern TLS protocols, potentially exposing applications to man-in-the-middle attacks and other security issues.
Detection Strategy
• The detector first checks if any of the Apache HttpClient libraries are imported (org.apache.http.impl.client.DefaultHttpClient, org.apache.http.impl.client.*, or org.apache.http.impl.client._)
• Once the library import is confirmed, it scans through all selected code nodes looking for references to 'DefaultHttpClient'
• A vulnerability is reported when the deprecated DefaultHttpClient class name is found in the code after confirming the Apache HttpClient library is imported
Vulnerable code example
import org.apache.http.client.HttpClient
import org.apache.http.impl.client.DefaultHttpClient
object WebService {
def makeRequest(): Unit = {
// VULNERABLE: DefaultHttpClient is deprecated and lacks modern TLS security
val client: HttpClient = new DefaultHttpClient()
client.execute(/* request */)...✅ Secure code example
import org.apache.http.client.methods.HttpGet
import org.apache.http.impl.client.CloseableHttpClient
import org.apache.http.impl.client.HttpClientBuilder
object WebService {
def makeRequest(): Unit = {
// SAFE: HttpClientBuilder provides modern TLS security by default
val client: CloseableHttpClient = HttpClientBuilder.create().build()...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.