From: Chris Ramstad Date: Wed, 4 Mar 2020 21:10:18 +0000 (-0800) Subject: SONAR: Resolving server hostnames should be verified X-Git-Tag: 1.6.2~3 X-Git-Url: https://gerrit.onap.org/r/gitweb?a=commitdiff_plain;h=refs%2Fchanges%2F66%2F103066%2F1;p=policy%2Fcommon.git SONAR: Resolving server hostnames should be verified Per Jorge Hernandez, we don't want to fix this as it falls under the selfSignedCert clause which is used in testing and non-production environments. Marking as //NOSONAR Issue-ID: POLICY-2389 Signed-off-by: Chris Ramstad Change-Id: Iaf47e19dc8450607b1dc3aa260370e9c0d7d491d --- diff --git a/policy-endpoints/src/main/java/org/onap/policy/common/endpoints/http/client/internal/JerseyClient.java b/policy-endpoints/src/main/java/org/onap/policy/common/endpoints/http/client/internal/JerseyClient.java index c6a4fa41..ccbed5d9 100644 --- a/policy-endpoints/src/main/java/org/onap/policy/common/endpoints/http/client/internal/JerseyClient.java +++ b/policy-endpoints/src/main/java/org/onap/policy/common/endpoints/http/client/internal/JerseyClient.java @@ -131,8 +131,14 @@ public class JerseyClient implements HttpClient { SSLContext sslContext = SSLContext.getInstance("TLSv1.2"); if (this.selfSignedCerts) { sslContext.init(null, NetworkUtil.getAlwaysTrustingManager(), new SecureRandom()); + + // This falls under self signed certs which is used for non-production testing environments where + // the hostname in the cert is unlikely to be crafted properly. We always return true for the + // hostname verifier. This causes a sonar vuln but we ignore it as it could cause problems in some + // testing environments. clientBuilder = - ClientBuilder.newBuilder().sslContext(sslContext).hostnameVerifier((host, session) -> true); + ClientBuilder.newBuilder().sslContext(sslContext).hostnameVerifier( + (host, session) -> true); //NOSONAR } else { sslContext.init(null, null, null); clientBuilder = ClientBuilder.newBuilder().sslContext(sslContext);