aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChris Ramstad <cramstad@ciena.com>2020-03-04 13:10:18 -0800
committerChris Ramstad <cramstad@ciena.com>2020-03-04 13:12:48 -0800
commit41c956dcca4315fe0f396c684b5f6f0da49fb4b0 (patch)
tree6f3c469437233ce951bb1aafcd95e007aee84d7d
parent157ece6ced7b093701bd10f3a3cd42c5559529a0 (diff)
SONAR: Resolving server hostnames should be verified
Per Jorge Hernandez, we don't want to fix this as it falls under the selfSignedCert clause which is used in testing and non-production environments. Marking as //NOSONAR Issue-ID: POLICY-2389 Signed-off-by: Chris Ramstad <cramstad@ciena.com> Change-Id: Iaf47e19dc8450607b1dc3aa260370e9c0d7d491d
-rw-r--r--policy-endpoints/src/main/java/org/onap/policy/common/endpoints/http/client/internal/JerseyClient.java8
1 files changed, 7 insertions, 1 deletions
diff --git a/policy-endpoints/src/main/java/org/onap/policy/common/endpoints/http/client/internal/JerseyClient.java b/policy-endpoints/src/main/java/org/onap/policy/common/endpoints/http/client/internal/JerseyClient.java
index c6a4fa41..ccbed5d9 100644
--- a/policy-endpoints/src/main/java/org/onap/policy/common/endpoints/http/client/internal/JerseyClient.java
+++ b/policy-endpoints/src/main/java/org/onap/policy/common/endpoints/http/client/internal/JerseyClient.java
@@ -131,8 +131,14 @@ public class JerseyClient implements HttpClient {
SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
if (this.selfSignedCerts) {
sslContext.init(null, NetworkUtil.getAlwaysTrustingManager(), new SecureRandom());
+
+ // This falls under self signed certs which is used for non-production testing environments where
+ // the hostname in the cert is unlikely to be crafted properly. We always return true for the
+ // hostname verifier. This causes a sonar vuln but we ignore it as it could cause problems in some
+ // testing environments.
clientBuilder =
- ClientBuilder.newBuilder().sslContext(sslContext).hostnameVerifier((host, session) -> true);
+ ClientBuilder.newBuilder().sslContext(sslContext).hostnameVerifier(
+ (host, session) -> true); //NOSONAR
} else {
sslContext.init(null, null, null);
clientBuilder = ClientBuilder.newBuilder().sslContext(sslContext);