Fix Analyzer Manager proxy #506
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
bd8e75a to
f896559
Compare
eyalk007
commented
May 15, 2025
| @@ -329,7 +328,6 @@ private Map<String, String> createEnvWithCredentials() { | |||
| proxyUrl = proxyConfiguration.username + ":" + proxyConfiguration.password + "@" + proxyUrl; | |||
| } | |||
| env.put(ENV_HTTP_PROXY, "http://" + proxyUrl); | |||
There was a problem hiding this comment.
ignored as we support http proxy
@hadarshjfrog
want me to use jfrog ignore?
|
@eyalk007 - how will this change will keep supporting HTTPS then? if you only removed it |
|
what about the case that there actual HTTPS proxy? |
hadarshjfrog
approved these changes
May 26, 2025
|
📗 Scan Summary
|
| @@ -328,8 +327,8 @@ private Map<String, String> createEnvWithCredentials() { | |||
| if (StringUtils.isNoneBlank(proxyConfiguration.username, proxyConfiguration.password)) { | |||
| proxyUrl = proxyConfiguration.username + ":" + proxyConfiguration.password + "@" + proxyUrl; | |||
| } | |||
| //jfrog-ignore .We have support for HTTP proxy | |||
| env.put(ENV_HTTP_PROXY, "http://" + proxyUrl); | |||
There was a problem hiding this comment.
🎯 Static Application Security Testing (SAST) Vulnerability
| Severity | Finding |
|---|---|
 Low |
Detected usage of communication methods lacking encryption. |
Full description
Vulnerability Details
| CWE: | 319 |
| Rule ID: | java-insecure-protocol |
Overview
Using insecure protocols—such as HTTP, FTP, or LDAP—can expose sensitive
data during transmission, making it vulnerable to eavesdropping and man-in-the-middle
attacks. Secure protocols like HTTPS and FTPS should be used to ensure data
encryption during communication.
Vulnerable example
In this example, the application uses insecure protocols to communicate,
taking the protocol type from hardcoded strings.
package main
import (
"fmt"
)
type SwampService struct {
InsecureHttpProtocol string
InsecureFtpProtocol string
}
func NewSwampService() *SwampService {
return &SwampService{
InsecureHttpProtocol: "https://", // Insecure protocol
InsecureFtpProtocol: "ftp://", // Insecure protocol
}
}
func (s *SwampService) ConnectToFrogService(server string) {
url := s.InsecureHttpProtocol + server + "/frogEndpoint"
s.connect(url)
url = s.InsecureFtpProtocol + server + "/frogFile"
s.connect(url)
}
func (s *SwampService) connect(url string) {
fmt.Printf("Connecting to %s\n", url)
// Logic to connect to the service
}
func main() {
service := NewSwampService()
service.ConnectToFrogService("example.com")
}In this vulnerable example, the ConnectToFrogService method uses hardcoded
insecure protocols (HTTP and FTP) to connect, making communications susceptible
to attacks.
Remediation
To mitigate the use of insecure protocols, replace them with secure alternatives
such as HTTPS or FTPS.
package main
import (
"fmt"
)
type SwampService struct {
InsecureHttpProtocol string
InsecureFtpProtocol string
}
func NewSwampService() *SwampService {
return &SwampService{
InsecureHttpProtocol: "https://", // Insecure protocol
InsecureFtpProtocol: "ftp://", // Insecure protocol
}
}
func (s *SwampService) ConnectToFrogService(server string) {
url := s.InsecureHttpProtocol + server + "/frogEndpoint"
s.connect(url)
url = s.InsecureFtpProtocol + server + "/frogFile"
s.connect(url)
}
func (s *SwampService) connect(url string) {
fmt.Printf("Connecting to %s\n", url)
// Logic to connect to the service
}
func main() {
service := NewSwampService()
service.ConnectToFrogService("example.com")
}In this remediated example, the ConnectToFrogService method utilizes
secure protocols (HTTPS and FTPS) to ensure that communications are encrypted,
thereby protecting sensitive data.
322c8e8 to
f896559
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We only support HTTP proxy for now as JetBrains does not give indication if proxy is HTTP or HTTPS
when moving to CLI, we will create a ping function to determine if proxy is HTTP or HTTPS
Also fixed python test