From bdd99853ef1d7deb7063d02165d980adbf84073c Mon Sep 17 00:00:00 2001 From: satyamchaurasiapersistent <102941840+satyamchaurasiapersistent@users.noreply.github.com> Date: Fri, 26 Jul 2024 12:15:30 +0530 Subject: [PATCH] Adding code for self-sign certificate SSL bypass (#1371) Co-authored-by: Satyam Chaurasia --- docs/Configuration.md | 2 ++ docs/Proxy-and-HTTPS-Configuration.md | 4 ++-- .../com/checkmarx/flow/config/FlowConfig.java | 23 ++++++++++++------- 3 files changed, 19 insertions(+), 10 deletions(-) diff --git a/docs/Configuration.md b/docs/Configuration.md index 70cf008fd..ce6f421fc 100644 --- a/docs/Configuration.md +++ b/docs/Configuration.md @@ -608,6 +608,7 @@ For more details on break build, please refer to [Thresholds and policies](https | `cxflow.enabledVulnerabilityScanners` | false | No | Yes | Yes | User can define which checkmarx tool they want to use like SAST, SCA or both. | | `checkmarx.considerScanningStatus` | false | No | Yes | Yes | By default, Checkmarx only includes completed scans (finished status) in incremental scans. This means it ignores scans that are currently running (scanning) or waiting to be processed (new queue). Enabling a feature this variable "cxflow" expands what incremental scans consider. With cxflow, scans in progress and those queued up are also taken into account, providing a more comprehensive view of your code's security posture. | | `enabled-zip-scan` | false | No | Yes | Yes | When `enabled-zip-scan` is set to `true` then cx-flow will first clone the repository locally, and then it will zip the repository and send it for scanning. | +| `trustcerts` | false | No | Yes | Yes | If this option is true Cx-flow will bypass SSL. Default value is false so it will not bypass SSL. | No* = Default is applied ### Custom Checkmarx Fields @@ -638,6 +639,7 @@ checkmarx: url: ${checkmarx.base-url}/cxrestapi preserve-xml: true incremental: true + trustcerts: true portal-url: ${checkmarx.base-url}/cxwebinterface/Portal/CxWebService.asmx exclude-files: "*.tst,*.json" exclude-folders: ".git,test" diff --git a/docs/Proxy-and-HTTPS-Configuration.md b/docs/Proxy-and-HTTPS-Configuration.md index 1704ae226..7b488a2ca 100644 --- a/docs/Proxy-and-HTTPS-Configuration.md +++ b/docs/Proxy-and-HTTPS-Configuration.md @@ -51,10 +51,10 @@ To use CxFlow over HTTPS, an SSL certificate is required to be imported into a k # Self-Signed Certificates -To allow CxFlow to trust self-signed certificates, the parameter '--trust-cert' needs to be provided via command line when starting the cxflow. +To allow CxFlow to trust self-signed certificates, the parameter '--checkmarx.trustcerts = true' needs to be provided via command line when starting the cxflow. ``` -java -Dhttp.proxyHost=myproxyserver.com -Dhttp.proxyPort=9595 -jar cxflow.jar --trust-cert +java -Dhttp.proxyHost=myproxyserver.com -Dhttp.proxyPort=9595 -jar cxflow.jar --checkmarx.trustcerts = true' ``` ## Configuration diff --git a/src/main/java/com/checkmarx/flow/config/FlowConfig.java b/src/main/java/com/checkmarx/flow/config/FlowConfig.java index 75384f93a..e5fbd93bf 100644 --- a/src/main/java/com/checkmarx/flow/config/FlowConfig.java +++ b/src/main/java/com/checkmarx/flow/config/FlowConfig.java @@ -2,9 +2,9 @@ import com.checkmarx.flow.filter.CaseTransformingFilter; import com.checkmarx.flow.utils.ScanUtils; -import org.apache.http.conn.ssl.NoopHostnameVerifier; -import org.apache.http.impl.client.CloseableHttpClient; -import org.apache.http.impl.client.HttpClients; +import org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManagerBuilder; +import org.apache.hc.client5.http.io.HttpClientConnectionManager; +import org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.web.client.RestTemplateBuilder; import org.springframework.context.ApplicationContext; @@ -18,7 +18,6 @@ import org.thymeleaf.TemplateEngine; import org.thymeleaf.spring5.templateresolver.SpringResourceTemplateResolver; import org.thymeleaf.templatemode.TemplateMode; -import org.apache.http.client.config.RequestConfig; import org.thymeleaf.templateresolver.FileTemplateResolver; import javax.net.ssl.SSLContext; @@ -75,15 +74,23 @@ public void checkServerTrusted( }; SSLContext sslContext = SSLContext.getInstance("SSL"); sslContext.init(null, trustAllCerts, new java.security.SecureRandom()); - CloseableHttpClient httpClient = HttpClients.custom() - .setSSLContext(sslContext) - .setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE) + SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(sslContext); + + HttpClientConnectionManager connectionManager = PoolingHttpClientConnectionManagerBuilder.create() + .setSSLSocketFactory(socketFactory) + .build(); + + org.apache.hc.client5.http.impl.classic.CloseableHttpClient httpClient = org.apache.hc.client5.http.impl.classic.HttpClients.custom() + .setConnectionManager(connectionManager) + .evictExpiredConnections() .build(); HttpComponentsClientHttpRequestFactory customRequestFactory = new HttpComponentsClientHttpRequestFactory(); - //customRequestFactory.setHttpClient(httpClient); + customRequestFactory.setHttpClient(httpClient); return builder.requestFactory(() -> customRequestFactory).build(); } + + @Bean public JavaMailSender getJavaMailSender() { JavaMailSenderImpl mailSender = new JavaMailSenderImpl();