Merge pull request #20 from blagerweij/feature/support-disable-strict-tls

Support for disabling strict TLS checking

Author: nvima

src/main/kotlin/com/liftric/dtcp/DepTrackCompanionPlugin.kt

@@ -33,6 +33,7 @@ class DepTrackCompanionPlugin : Plugin<Project> {
             task.projectVersion.set(extension.projectVersion)
             task.parentUUID.set(extension.parentUUID)
             task.ignoreProjectAlreadyExists.set(extension.ignoreProjectAlreadyExists)
+            task.disableStrictTLS.set(extension.disableStrictTLS)
         }
 
         val generateSbom = project.tasks.register("generateSbom") { task ->
@@ -54,6 +55,7 @@ class DepTrackCompanionPlugin : Plugin<Project> {
             task.parentUUID.set(extension.parentUUID)
             task.parentName.set(extension.parentName)
             task.parentVersion.set(extension.parentVersion)
+            task.disableStrictTLS.set(extension.disableStrictTLS)
             task.ignoreErrors.set(extension.ignoreErrors)
             task.dependsOn(generateSbom)
         }
@@ -78,6 +80,7 @@ class DepTrackCompanionPlugin : Plugin<Project> {
             task.projectUUID.set(extension.projectUUID)
             task.projectName.set(extension.projectName)
             task.projectVersion.set(extension.projectVersion)
+            task.disableStrictTLS.set(extension.disableStrictTLS)
             task.mustRunAfter(generateVex)
             task.dependsOn(generateVex)
         }
@@ -90,6 +93,7 @@ class DepTrackCompanionPlugin : Plugin<Project> {
             task.projectUUID.set(extension.projectUUID)
             task.projectName.set(extension.projectName)
             task.projectVersion.set(extension.projectVersion)
+            task.disableStrictTLS.set(extension.disableStrictTLS)
         }
 
         val riskScore = project.tasks.register("riskScore", RiskScoreTask::class.java) { task ->
@@ -101,6 +105,7 @@ class DepTrackCompanionPlugin : Plugin<Project> {
             task.projectName.set(extension.projectName)
             task.projectVersion.set(extension.projectVersion)
             task.riskScore.set(extension.riskScoreData)
+            task.disableStrictTLS.set(extension.disableStrictTLS)
         }
 
         project.tasks.register("runDepTrackWorkflow") { task ->
@@ -118,6 +123,7 @@ class DepTrackCompanionPlugin : Plugin<Project> {
             task.projectUUID.set(extension.projectUUID)
             task.projectName.set(extension.projectName)
             task.projectVersion.set(extension.projectVersion)
+            task.disableStrictTLS.set(extension.disableStrictTLS)
         }
 
         project.tasks.register("getSuppressedVuln", GetSuppressedVulnTask::class.java) { task ->
@@ -128,6 +134,7 @@ class DepTrackCompanionPlugin : Plugin<Project> {
             task.projectUUID.set(extension.projectUUID)
             task.projectName.set(extension.projectName)
             task.projectVersion.set(extension.projectVersion)
+            task.disableStrictTLS.set(extension.disableStrictTLS)
         }
     }
 }

src/main/kotlin/com/liftric/dtcp/extensions/DepTrackCompanionExtension.kt

@@ -23,6 +23,7 @@ abstract class DepTrackCompanionExtension(val project: Project) {
     abstract val parentName: Property<String>
     abstract val parentVersion: Property<String>
     abstract val ignoreProjectAlreadyExists: Property<Boolean>
+    abstract val disableStrictTLS: Property<Boolean>
     abstract val ignoreErrors: Property<Boolean>
 
     abstract val riskScoreData: Property<RiskScoreBuilder>

src/main/kotlin/com/liftric/dtcp/service/ApiService.kt

@@ -12,8 +12,24 @@ import io.ktor.http.*
 import kotlinx.serialization.KSerializer
 import kotlinx.serialization.json.Json
 import java.io.File
+import java.security.cert.X509Certificate
+import javax.net.ssl.X509TrustManager
 
-class ApiService(apiKey: String) {
+class ApiService(apiKey: String, disableStrictTLS: Boolean = false) {
+
+    private val trustAllManager = if (disableStrictTLS) {
+        object: X509TrustManager {
+            @Suppress("kotlin:S4830")
+            override fun checkClientTrusted(chain: Array<out X509Certificate>?, authType: String?) { /* NOOP */ }
+
+            @Suppress("kotlin:S4830")
+            override fun checkServerTrusted(chain: Array<out X509Certificate>?, authType: String?) { /* NOOP */ }
+
+            override fun getAcceptedIssuers(): Array<X509Certificate>? = null
+        }
+    } else {
+        null
+    }
 
     private val client = HttpClient(CIO) {
         expectSuccess = true
@@ -27,6 +43,11 @@ class ApiService(apiKey: String) {
                 ignoreUnknownKeys = true
             })
         }
+        engine {
+            https {
+                trustManager = trustAllManager
+            }
+        }
     }
 
     suspend fun uploadFileWithFormData(

src/main/kotlin/com/liftric/dtcp/service/DependencyTrack.kt

@@ -6,9 +6,9 @@ import kotlinx.coroutines.delay
 import kotlinx.coroutines.runBlocking
 import java.io.File
 
-class DependencyTrack(apiKey: String, private val baseUrl: String) {
+class DependencyTrack(apiKey: String, private val baseUrl: String, private val disableStrictTLS: Boolean) {
 
-    private val client: ApiService = ApiService(apiKey)
+    private val client: ApiService = ApiService(apiKey, disableStrictTLS)
 
     fun getProject(projectName: String, projectVersion: String): Project = runBlocking {
         val url = "$baseUrl/api/v1/project/lookup?name=$projectName&version=$projectVersion"

src/main/kotlin/com/liftric/dtcp/tasks/AnalyzeProjectTask.kt

@@ -27,6 +27,10 @@ abstract class AnalyzeProjectTask : DefaultTask() {
     @get:Optional
     abstract val projectVersion: Property<String>
 
+    @get:Input
+    @get:Optional
+    abstract val disableStrictTLS: Property<Boolean>
+
     @TaskAction
     fun analyzeProjectTask() {
         val apiKeyValue = apiKey.get()
@@ -36,7 +40,7 @@ abstract class AnalyzeProjectTask : DefaultTask() {
         val projectNameValue = projectName.orNull
         val projectVersionValue = projectVersion.orNull
 
-        val dt = DependencyTrack(apiKeyValue, urlValue)
+        val dt = DependencyTrack(apiKeyValue, urlValue, disableStrictTLS.getOrElse(false))
 
         val uuid = when {
             projectUUIDValue != null -> projectUUIDValue

src/main/kotlin/com/liftric/dtcp/tasks/CreateProject.kt

@@ -40,9 +40,13 @@ abstract class CreateProject : DefaultTask() {
     @get:Optional
     abstract val ignoreProjectAlreadyExists: Property<Boolean>
 
+    @get:Input
+    @get:Optional
+    abstract val disableStrictTLS: Property<Boolean>
+
     @TaskAction
     fun createProjectTask() {
-        val dt = DependencyTrack(apiKey.get(), url.get())
+        val dt = DependencyTrack(apiKey.get(), url.get(), disableStrictTLS.getOrElse(false))
 
         val project = CreateProject(
             name = projectName.get(),

src/main/kotlin/com/liftric/dtcp/tasks/GetOutdatedDependenciesTask.kt

@@ -30,6 +30,11 @@ abstract class GetOutdatedDependenciesTask : DefaultTask() {
     @get:Optional
     abstract val projectVersion: Property<String>
 
+    @get:Input
+    @get:Optional
+    abstract val disableStrictTLS: Property<Boolean>
+
+
     @TaskAction
     fun getOutdatedDependenciesTask() {
         val apiKeyValue = apiKey.get()
@@ -38,7 +43,7 @@ abstract class GetOutdatedDependenciesTask : DefaultTask() {
         val projectNameValue = projectName.orNull
         val projectVersionValue = projectVersion.orNull
 
-        val dt = DependencyTrack(apiKeyValue, urlValue)
+        val dt = DependencyTrack(apiKeyValue, urlValue, disableStrictTLS.getOrElse(false))
 
         val project = when {
             projectUUIDValue != null -> dt.getProject(projectUUIDValue)

src/main/kotlin/com/liftric/dtcp/tasks/GetSuppressedVulnTask.kt

@@ -28,6 +28,10 @@ abstract class GetSuppressedVulnTask : DefaultTask() {
     @get:Optional
     abstract val projectVersion: Property<String>
 
+    @get:Input
+    @get:Optional
+    abstract val disableStrictTLS: Property<Boolean>
+
     @TaskAction
     fun getSuppressedVulnTask() {
         val apiKeyValue = apiKey.get()
@@ -36,7 +40,7 @@ abstract class GetSuppressedVulnTask : DefaultTask() {
         val projectNameValue = projectName.orNull
         val projectVersionValue = projectVersion.orNull
 
-        val dt = DependencyTrack(apiKeyValue, urlValue)
+        val dt = DependencyTrack(apiKeyValue, urlValue, disableStrictTLS.getOrElse(false))
 
         val findings = when {
             projectUUIDValue != null -> dt.getProjectFindingsById(projectUUIDValue)

src/main/kotlin/com/liftric/dtcp/tasks/RiskScoreTask.kt

@@ -35,6 +35,10 @@ abstract class RiskScoreTask : DefaultTask() {
     @get:Optional
     abstract val riskScore: Property<RiskScoreBuilder>
 
+    @get:Input
+    @get:Optional
+    abstract val disableStrictTLS: Property<Boolean>
+
     @TaskAction
     fun riskScoreTask() {
         val apiKeyValue = apiKey.get()
@@ -52,7 +56,7 @@ abstract class RiskScoreTask : DefaultTask() {
         val maxRiskScore = riskScoreValue.maxRiskScore.orNull
         val timeout = riskScoreValue.timeout.orNull
 
-        val dt = DependencyTrack(apiKeyValue, urlValue)
+        val dt = DependencyTrack(apiKeyValue, urlValue, disableStrictTLS.getOrElse(false))
 
         val uuid = when {
             projectUUIDValue != null -> projectUUIDValue

src/main/kotlin/com/liftric/dtcp/tasks/UploadSBOMTask.kt

@@ -49,6 +49,10 @@ abstract class UploadSBOMTask : DefaultTask() {
     @get:Optional
     abstract val parentVersion: Property<String>
 
+    @get:Input
+    @get:Optional
+    abstract val disableStrictTLS: Property<Boolean>
+
     @get:Input
     @get:Optional
     abstract val ignoreErrors: Property<Boolean>
@@ -71,7 +75,7 @@ abstract class UploadSBOMTask : DefaultTask() {
             throw GradleException("Either projectUUID or projectName and projectVersion must be set")
         }
 
-        val dt = DependencyTrack(apiKeyValue, urlValue)
+        val dt = DependencyTrack(apiKeyValue, urlValue, disableStrictTLS.getOrElse(false))
         try {
             val response = dt.uploadSbom(
                 file = inputFileValue,