SONAR: Resolving server hostnames should be verified

Per Jorge Hernandez, we don't want to fix this as
it falls under the selfSignedCert clause which is
used in testing and non-production environments.

Marking as //NOSONAR

Issue-ID: POLICY-2389
Signed-off-by: Chris Ramstad <cramstad@ciena.com>
Change-Id: Iaf47e19dc8450607b1dc3aa260370e9c0d7d491d

diff --git a/policy-endpoints/src/main/java/org/onap/policy/common/endpoints/http/client/internal/JerseyClient.java b/policy-endpoints/src/main/java/org/onap/policy/common/endpoints/http/client/internal/JerseyClient.java
index c6a4fa4..ccbed5d 100644 (file)
--- a/policy-endpoints/src/main/java/org/onap/policy/common/endpoints/http/client/internal/JerseyClient.java
+++ b/policy-endpoints/src/main/java/org/onap/policy/common/endpoints/http/client/internal/JerseyClient.java
@@ -131,8 +131,14 @@ public class JerseyClient implements HttpClient {
             SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
             if (this.selfSignedCerts) {
                 sslContext.init(null, NetworkUtil.getAlwaysTrustingManager(), new SecureRandom());
+
+                // This falls under self signed certs which is used for non-production testing environments where
+                // the hostname in the cert is unlikely to be crafted properly.  We always return true for the
+                // hostname verifier.  This causes a sonar vuln but we ignore it as it could cause problems in some
+                // testing environments.
                 clientBuilder =
-                        ClientBuilder.newBuilder().sslContext(sslContext).hostnameVerifier((host, session) -> true);
+                        ClientBuilder.newBuilder().sslContext(sslContext).hostnameVerifier(
+                            (host, session) -> true); //NOSONAR
             } else {
                 sslContext.init(null, null, null);
                 clientBuilder = ClientBuilder.newBuilder().sslContext(sslContext);