-
Notifications
You must be signed in to change notification settings - Fork 35
Fix Analyzer Manager proxy #506
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
bd8e75a
to
f896559
Compare
@@ -329,7 +328,6 @@ private Map<String, String> createEnvWithCredentials() { | |||
proxyUrl = proxyConfiguration.username + ":" + proxyConfiguration.password + "@" + proxyUrl; | |||
} | |||
env.put(ENV_HTTP_PROXY, "http://" + proxyUrl); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ignored as we support http proxy
@hadarshjfrog
want me to use jfrog ignore?
@eyalk007 - how will this change will keep supporting HTTPS then? if you only removed it |
what about the case that there actual HTTPS proxy? |
📗 Scan Summary
|
@@ -328,8 +327,8 @@ private Map<String, String> createEnvWithCredentials() { | |||
if (StringUtils.isNoneBlank(proxyConfiguration.username, proxyConfiguration.password)) { | |||
proxyUrl = proxyConfiguration.username + ":" + proxyConfiguration.password + "@" + proxyUrl; | |||
} | |||
//jfrog-ignore .We have support for HTTP proxy | |||
env.put(ENV_HTTP_PROXY, "http://" + proxyUrl); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🎯 Static Application Security Testing (SAST) Vulnerability
Full description
Vulnerability Details
CWE: | 319 |
Rule ID: | java-insecure-protocol |
Overview
Using insecure protocols—such as HTTP, FTP, or LDAP—can expose sensitive
data during transmission, making it vulnerable to eavesdropping and man-in-the-middle
attacks. Secure protocols like HTTPS and FTPS should be used to ensure data
encryption during communication.
Vulnerable example
In this example, the application uses insecure protocols to communicate,
taking the protocol type from hardcoded strings.
package main
import (
"fmt"
)
type SwampService struct {
InsecureHttpProtocol string
InsecureFtpProtocol string
}
func NewSwampService() *SwampService {
return &SwampService{
InsecureHttpProtocol: "https://", // Insecure protocol
InsecureFtpProtocol: "ftp://", // Insecure protocol
}
}
func (s *SwampService) ConnectToFrogService(server string) {
url := s.InsecureHttpProtocol + server + "/frogEndpoint"
s.connect(url)
url = s.InsecureFtpProtocol + server + "/frogFile"
s.connect(url)
}
func (s *SwampService) connect(url string) {
fmt.Printf("Connecting to %s\n", url)
// Logic to connect to the service
}
func main() {
service := NewSwampService()
service.ConnectToFrogService("example.com")
}
In this vulnerable example, the ConnectToFrogService
method uses hardcoded
insecure protocols (HTTP and FTP) to connect, making communications susceptible
to attacks.
Remediation
To mitigate the use of insecure protocols, replace them with secure alternatives
such as HTTPS or FTPS.
package main
import (
"fmt"
)
type SwampService struct {
InsecureHttpProtocol string
InsecureFtpProtocol string
}
func NewSwampService() *SwampService {
return &SwampService{
InsecureHttpProtocol: "https://", // Insecure protocol
InsecureFtpProtocol: "ftp://", // Insecure protocol
}
}
func (s *SwampService) ConnectToFrogService(server string) {
url := s.InsecureHttpProtocol + server + "/frogEndpoint"
s.connect(url)
url = s.InsecureFtpProtocol + server + "/frogFile"
s.connect(url)
}
func (s *SwampService) connect(url string) {
fmt.Printf("Connecting to %s\n", url)
// Logic to connect to the service
}
func main() {
service := NewSwampService()
service.ConnectToFrogService("example.com")
}
In this remediated example, the ConnectToFrogService
method utilizes
secure protocols (HTTPS and FTPS) to ensure that communications are encrypted,
thereby protecting sensitive data.
322c8e8
to
f896559
Compare
We only support HTTP proxy for now as JetBrains does not give indication if proxy is HTTP or HTTPS
when moving to CLI, we will create a ping function to determine if proxy is HTTP or HTTPS
Also fixed python test