Adding code for self-sign certificate SSL bypass (#1371)

Co-authored-by: Satyam Chaurasia <[email protected]>
checkmarx-ltd · Jul 26, 2024 · bdd9985 · bdd9985
1 parent 85ee775
commit bdd9985
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 10 deletions.
diff --git a/docs/Configuration.md b/docs/Configuration.md
@@ -608,6 +608,7 @@ For more details on break build, please refer to [Thresholds and policies](https
 | `cxflow.enabledVulnerabilityScanners`  | false                 | No                                  | Yes     | Yes               | User can define which checkmarx tool they want to use like SAST, SCA or both.                                                                                                                                                                                                                                                                                                                                                                                                           |
 | `checkmarx.considerScanningStatus`     | false                 | No                                  | Yes     | Yes               | By default, Checkmarx only includes completed scans (finished status) in incremental scans. This means it ignores scans that are currently running (scanning) or waiting to be processed (new queue). Enabling a feature this variable "cxflow" expands what incremental scans consider. With cxflow, scans in progress and those queued up are also taken into account, providing a more comprehensive view of your code's security posture.                                           |
 | `enabled-zip-scan`                     | false                 | No                                  | Yes     | Yes               | When `enabled-zip-scan` is set to `true` then cx-flow will first clone the repository locally, and then it will zip the repository and send it for scanning.                                                                                                                                                                                                                                                                                                                            |
+| `trustcerts`                     | false                 | No                                  | Yes     | Yes               | If this option is true Cx-flow will bypass SSL. Default value is false so it will not bypass SSL.                                                                                                                                                                                                                                                                                                                                                                                       |
 No* = Default is applied
 
 ### Custom Checkmarx Fields
@@ -638,6 +639,7 @@ checkmarx:
   url: ${checkmarx.base-url}/cxrestapi
   preserve-xml: true
   incremental: true
+  trustcerts: true
   portal-url: ${checkmarx.base-url}/cxwebinterface/Portal/CxWebService.asmx
   exclude-files: "*.tst,*.json"
   exclude-folders: ".git,test"

diff --git a/docs/Proxy-and-HTTPS-Configuration.md b/docs/Proxy-and-HTTPS-Configuration.md
@@ -51,10 +51,10 @@ To use CxFlow over HTTPS, an SSL certificate is required to be imported into a k
 
 # Self-Signed Certificates
 
-To allow CxFlow to trust self-signed certificates, the parameter '--trust-cert' needs to be provided via command line when starting the cxflow.
+To allow CxFlow to trust self-signed certificates, the parameter '--checkmarx.trustcerts = true' needs to be provided via command line when starting the cxflow.
 
 ```
-java -Dhttp.proxyHost=myproxyserver.com -Dhttp.proxyPort=9595 -jar cxflow.jar --trust-cert <Additional-CxFlow-parameters>
+java -Dhttp.proxyHost=myproxyserver.com -Dhttp.proxyPort=9595 -jar cxflow.jar --checkmarx.trustcerts = true' <Additional-CxFlow-parameters>
 ```
 
 ## Configuration

diff --git a/src/main/java/com/checkmarx/flow/config/FlowConfig.java b/src/main/java/com/checkmarx/flow/config/FlowConfig.java
@@ -2,9 +2,9 @@
 
 import com.checkmarx.flow.filter.CaseTransformingFilter;
 import com.checkmarx.flow.utils.ScanUtils;
-import org.apache.http.conn.ssl.NoopHostnameVerifier;
-import org.apache.http.impl.client.CloseableHttpClient;
-import org.apache.http.impl.client.HttpClients;
+import org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManagerBuilder;
+import org.apache.hc.client5.http.io.HttpClientConnectionManager;
+import org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.web.client.RestTemplateBuilder;
 import org.springframework.context.ApplicationContext;
@@ -18,7 +18,6 @@
 import org.thymeleaf.TemplateEngine;
 import org.thymeleaf.spring5.templateresolver.SpringResourceTemplateResolver;
 import org.thymeleaf.templatemode.TemplateMode;
-import org.apache.http.client.config.RequestConfig;
 import org.thymeleaf.templateresolver.FileTemplateResolver;
 
 import javax.net.ssl.SSLContext;
@@ -75,15 +74,23 @@ public void checkServerTrusted(
         };
         SSLContext sslContext = SSLContext.getInstance("SSL");
         sslContext.init(null, trustAllCerts, new java.security.SecureRandom());
-        CloseableHttpClient httpClient = HttpClients.custom()
-                .setSSLContext(sslContext)
-                .setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE)
+        SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(sslContext);
+
+        HttpClientConnectionManager connectionManager = PoolingHttpClientConnectionManagerBuilder.create()
+                .setSSLSocketFactory(socketFactory)
+                .build();
+
+        org.apache.hc.client5.http.impl.classic.CloseableHttpClient httpClient = org.apache.hc.client5.http.impl.classic.HttpClients.custom()
+                .setConnectionManager(connectionManager)
+                .evictExpiredConnections()
                 .build();
         HttpComponentsClientHttpRequestFactory customRequestFactory = new HttpComponentsClientHttpRequestFactory();
-        //customRequestFactory.setHttpClient(httpClient);
+        customRequestFactory.setHttpClient(httpClient);
         return builder.requestFactory(() -> customRequestFactory).build();
     }
 
+
+
     @Bean
     public JavaMailSender getJavaMailSender() {
         JavaMailSenderImpl mailSender = new JavaMailSenderImpl();