From 41c956dcca4315fe0f396c684b5f6f0da49fb4b0 Mon Sep 17 00:00:00 2001 From: Chris Ramstad Date: Wed, 4 Mar 2020 13:10:18 -0800 Subject: SONAR: Resolving server hostnames should be verified Per Jorge Hernandez, we don't want to fix this as it falls under the selfSignedCert clause which is used in testing and non-production environments. Marking as //NOSONAR Issue-ID: POLICY-2389 Signed-off-by: Chris Ramstad Change-Id: Iaf47e19dc8450607b1dc3aa260370e9c0d7d491d --- .../common/endpoints/http/client/internal/JerseyClient.java | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/policy-endpoints/src/main/java/org/onap/policy/common/endpoints/http/client/internal/JerseyClient.java b/policy-endpoints/src/main/java/org/onap/policy/common/endpoints/http/client/internal/JerseyClient.java index c6a4fa41..ccbed5d9 100644 --- a/policy-endpoints/src/main/java/org/onap/policy/common/endpoints/http/client/internal/JerseyClient.java +++ b/policy-endpoints/src/main/java/org/onap/policy/common/endpoints/http/client/internal/JerseyClient.java @@ -131,8 +131,14 @@ public class JerseyClient implements HttpClient { SSLContext sslContext = SSLContext.getInstance("TLSv1.2"); if (this.selfSignedCerts) { sslContext.init(null, NetworkUtil.getAlwaysTrustingManager(), new SecureRandom()); + + // This falls under self signed certs which is used for non-production testing environments where + // the hostname in the cert is unlikely to be crafted properly. We always return true for the + // hostname verifier. This causes a sonar vuln but we ignore it as it could cause problems in some + // testing environments. clientBuilder = - ClientBuilder.newBuilder().sslContext(sslContext).hostnameVerifier((host, session) -> true); + ClientBuilder.newBuilder().sslContext(sslContext).hostnameVerifier( + (host, session) -> true); //NOSONAR } else { sslContext.init(null, null, null); clientBuilder = ClientBuilder.newBuilder().sslContext(sslContext); -- cgit 1.2.3-korg