search

checkmarx-ltd / cx-flow

Checkmarx Scan and Result Orchestration
Apache License 2.0
87 stars 90 forks source link

[Enhancement request] possibility to disable TLS verification on client side #1325

Open KafkaProServerless opened 4 months ago

KafkaProServerless commented 4 months ago

Hello team,

From this doc: https://checkmarx.com/resource/documents/en/34965-8218-gitlab-integration.html#UUID-61dc8710-05ca-c4bc-d90a-9fb6ae2fe195_id_GitLabIntegration-AddingCerts

It is mentioned that one can have the option to add a custom cacert for CxFlow to work. Many enterprises have checkmarx servers with custom signed certificates, with heavy rotations periods etc. While it is very helpful to allow bake in a custom cert with your suggested command:

checkmarx-scan:
    before_script: 
      - cat ${LOCAL_CA_CERT} > localcert.cert
      - keytool -import -trustcacerts -alias localca -file localcert.cert -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -noprompt

It might be also useful to have an option as follows (name up to you):

-allowInsecureTrust=true

Looking at the current code at

It seems it can be easily achieved by adding something like:

public RestTemplate restTemplate() 
                throws KeyStoreException, NoSuchAlgorithmException, KeyManagementException {
    TrustStrategy acceptingTrustStrategy = (X509Certificate[] chain, String authType) -> true;

    SSLContext sslContext = org.apache.http.ssl.SSLContexts.custom()
                    .loadTrustMaterial(null, acceptingTrustStrategy)
                    .build();

    SSLConnectionSocketFactory csf = new SSLConnectionSocketFactory(sslContext);

    CloseableHttpClient httpClient = HttpClients.custom()
                    .setSSLSocketFactory(csf)
                    .build();

    HttpComponentsClientHttpRequestFactory requestFactory =
                    new HttpComponentsClientHttpRequestFactory();

    requestFactory.setHttpClient(httpClient);
    RestTemplate restTemplate = new RestTemplate(requestFactory);
    return restTemplate;
 }

Could you please consider this enhancement request?

Thank you

james-bostock-cx commented 2 months ago

I have raised the following FR which is for much the same thing: https://checkmarx1.aha.io/ideas/ideas/SDLC-I-98