Skip to content

Fix Analyzer Manager proxy #506

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
May 27, 2025
Merged

Conversation

eyalk007
Copy link
Contributor

@eyalk007 eyalk007 commented May 15, 2025

  • All tests passed. If this feature is not already covered by the tests, I added new tests.

We only support HTTP proxy for now as JetBrains does not give indication if proxy is HTTP or HTTPS
when moving to CLI, we will create a ping function to determine if proxy is HTTP or HTTPS

Also fixed python test

@eyalk007 eyalk007 requested a review from hadarshjfrog May 15, 2025 14:16
@eyalk007 eyalk007 self-assigned this May 15, 2025
@eyalk007 eyalk007 added the bug Something isn't working label May 15, 2025
@eyalk007 eyalk007 changed the title fix Analyzer Manager proxy Fix Analyzer Manager proxy May 15, 2025
@eyalk007 eyalk007 force-pushed the bug-fix/fix-am-proxy branch from bd8e75a to f896559 Compare May 15, 2025 14:24
@@ -329,7 +328,6 @@ private Map<String, String> createEnvWithCredentials() {
proxyUrl = proxyConfiguration.username + ":" + proxyConfiguration.password + "@" + proxyUrl;
}
env.put(ENV_HTTP_PROXY, "http://" + proxyUrl);
Copy link
Contributor Author

@eyalk007 eyalk007 May 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ignored as we support http proxy
@hadarshjfrog
want me to use jfrog ignore?

@eyalk007 eyalk007 added the safe to test Approve running integration tests on a pull request label May 15, 2025
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label May 15, 2025
@hadarshjfrog
Copy link
Collaborator

@eyalk007 - how will this change will keep supporting HTTPS then? if you only removed it

@hadarshjfrog
Copy link
Collaborator

what about the case that there actual HTTPS proxy?

@eyalk007 eyalk007 added the safe to test Approve running integration tests on a pull request label May 27, 2025
Copy link

🚨 Frogbot scanned this pull request and found the below:

📗 Scan Summary

  • Frogbot scanned for vulnerabilities and found 1 issues
Scan Category Status Security Issues
Software Composition Analysis ✅ Done Not Found
Contextual Analysis ✅ Done -
Static Application Security Testing (SAST) ✅ Done
1 Issues Found 1 Low
Secrets ✅ Done -
Infrastructure as Code (IaC) ✅ Done Not Found

@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label May 27, 2025
@@ -328,8 +327,8 @@ private Map<String, String> createEnvWithCredentials() {
if (StringUtils.isNoneBlank(proxyConfiguration.username, proxyConfiguration.password)) {
proxyUrl = proxyConfiguration.username + ":" + proxyConfiguration.password + "@" + proxyUrl;
}
//jfrog-ignore .We have support for HTTP proxy
env.put(ENV_HTTP_PROXY, "http://" + proxyUrl);

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
low
Low
Detected usage of communication methods lacking encryption.
Full description

Vulnerability Details

CWE: 319
Rule ID: java-insecure-protocol

Overview

Using insecure protocols—such as HTTP, FTP, or LDAP—can expose sensitive
data during transmission, making it vulnerable to eavesdropping and man-in-the-middle
attacks. Secure protocols like HTTPS and FTPS should be used to ensure data
encryption during communication.

Vulnerable example

In this example, the application uses insecure protocols to communicate,
taking the protocol type from hardcoded strings.

package main

import (
    "fmt"
)

type SwampService struct {
    InsecureHttpProtocol string
    InsecureFtpProtocol  string
}

func NewSwampService() *SwampService {
    return &SwampService{
        InsecureHttpProtocol: "https://", // Insecure protocol
        InsecureFtpProtocol:  "ftp://",  // Insecure protocol
    }
}

func (s *SwampService) ConnectToFrogService(server string) {
    url := s.InsecureHttpProtocol + server + "/frogEndpoint"
    s.connect(url)

    url = s.InsecureFtpProtocol + server + "/frogFile"
    s.connect(url)
}

func (s *SwampService) connect(url string) {
    fmt.Printf("Connecting to %s\n", url)
    // Logic to connect to the service
}

func main() {
    service := NewSwampService()
    service.ConnectToFrogService("example.com")
}

In this vulnerable example, the ConnectToFrogService method uses hardcoded
insecure protocols (HTTP and FTP) to connect, making communications susceptible
to attacks.

Remediation

To mitigate the use of insecure protocols, replace them with secure alternatives
such as HTTPS or FTPS.

package main

import (
    "fmt"
)

type SwampService struct {
    InsecureHttpProtocol string
    InsecureFtpProtocol  string
}

func NewSwampService() *SwampService {
    return &SwampService{
        InsecureHttpProtocol: "https://", // Insecure protocol
        InsecureFtpProtocol:  "ftp://",  // Insecure protocol
    }
}

func (s *SwampService) ConnectToFrogService(server string) {
    url := s.InsecureHttpProtocol + server + "/frogEndpoint"
    s.connect(url)

    url = s.InsecureFtpProtocol + server + "/frogFile"
    s.connect(url)
}

func (s *SwampService) connect(url string) {
    fmt.Printf("Connecting to %s\n", url)
    // Logic to connect to the service
}

func main() {
    service := NewSwampService()
    service.ConnectToFrogService("example.com")
}

In this remediated example, the ConnectToFrogService method utilizes
secure protocols (HTTPS and FTPS) to ensure that communications are encrypted,
thereby protecting sensitive data.



@eyalk007 eyalk007 merged commit 10608ab into jfrog:master May 27, 2025
7 of 9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants