feat: add CA support for proxy in aqua plugin

The commercial trivy plugin supports providing a proxy and a CA
certificate. This is now configurable through the "Configure Aqua
Platform" webview.

When the proxy has a value it will be set, same with the CA Cert.

Author: owenrumney

.gitignore

@@ -8,3 +8,5 @@ contrib
 trivy
 trivy.exe
 .vscode/settings.json
+cert.pem
+key.pem

CHANGELOG.md

@@ -1,5 +1,9 @@
 # Change Log
 
+## 1.8.9
+
+- Add support for custom proxy server and CA certificate provision
+
 ## 1.8.8
 
 - Add skip directories with defaults that can be overridden in the workspace

package.json

@@ -4,7 +4,7 @@
   "publisher": "AquaSecurityOfficial",
   "description": "Find vulnerabilities, misconfigurations and exposed secrets in your code",
   "icon": "images/icon.png",
-  "version": "1.8.8",
+  "version": "1.8.9",
   "engines": {
     "vscode": "^1.56.0"
   },
@@ -143,6 +143,16 @@
           "default": "",
           "description": "Aqua API URL"
         },
+        "trivy.proxyServer": {
+          "type": "string",
+          "default": "",
+          "description": "HTTP/HTTPS proxy server URL for Aqua Platform communication (format: http://proxy-host:port or https://proxy-host:port)"
+        },
+        "trivy.caCertPath": {
+          "type": "string",
+          "default": "",
+          "description": "Path to CA Cert file for Aqua Platform communication"
+        },
         "trivy.useAquaPlatform": {
           "type": "boolean",
           "default": false,

src/commercial/env.ts

@@ -19,6 +19,9 @@ const ENV_KEYS = Object.freeze({
   TRIVY_SKIP_REPOSITORY_UPLOAD: 'TRIVY_SKIP_REPOSITORY_UPLOAD',
   TRIVY_SKIP_RESULT_UPLOAD: 'TRIVY_SKIP_RESULT_UPLOAD',
   TRIVY_IDE_IDENTIFIER: 'TRIVY_IDE_IDENTIFIER',
+  CA_CERT: 'CA_CERT',
+  HTTP_PROXY: 'HTTP_PROXY',
+  HTTPS_PROXY: 'HTTPS_PROXY',
 });
 
 /**
@@ -63,6 +66,16 @@ export async function updateEnvironment(
     const aquaApiUrl = config.get<string>('aquaApiUrl');
     const aquaAuthUrl = config.get<string>('aquaAuthenticationUrl');
 
+    const proxyServer = config.get<string>('proxyServer');
+    if (proxyServer) {
+      newEnv[ENV_KEYS.HTTP_PROXY] = proxyServer;
+      newEnv[ENV_KEYS.HTTPS_PROXY] = proxyServer;
+    }
+    const caCertPath = config.get<string>('caCertPath');
+    if (caCertPath) {
+      newEnv[ENV_KEYS.CA_CERT] = caCertPath;
+    }
+
     if (aquaApiUrl && aquaAuthUrl) {
       newEnv[ENV_KEYS.API_URL] = aquaApiUrl;
       newEnv[ENV_KEYS.AUTH_URL] = aquaAuthUrl;

src/commercial/setup.ts

@@ -173,6 +173,12 @@ export async function setupCommercial(context: vscode.ExtensionContext) {
             }
             config.update('aquaApiUrl', aquaUrl);
             config.update('aquaAuthenticationUrl', cspmUrl);
+            if (message.proxyServer && message.prxoyServer.startsWith('http')) {
+              config.update('proxyServer', message.proxyServer);
+            } else if (message.proxyServer === '') {
+              config.update('proxyServer', undefined);
+            }
+            config.update('caCertPath', message.caCertPath);
             config.update('useAquaPlatform', message.enableAquaPlatform);
             vscode.commands.executeCommand(
               'setContext',
@@ -195,6 +201,29 @@ export async function setupCommercial(context: vscode.ExtensionContext) {
         case 'openExtenalLink':
           vscode.env.openExternal(vscode.Uri.parse(message.url));
           return;
+        case 'browseCaCert': {
+          const options: vscode.OpenDialogOptions = {
+            canSelectFiles: true,
+            canSelectFolders: false,
+            canSelectMany: false,
+            openLabel: 'Select CA Certificate',
+            filters: {
+              'Certificate Files': ['pem', 'crt', 'cer', 'der'],
+              'All Files': ['*'],
+            },
+            title: 'Select CA Certificate',
+          };
+
+          vscode.window.showOpenDialog(options).then((fileUri) => {
+            if (fileUri && fileUri[0]) {
+              panel.webview.postMessage({
+                command: 'updateCaCertPath',
+                path: fileUri[0].fsPath,
+              });
+            }
+          });
+          return;
+        }
       }
     },
     undefined,
@@ -324,6 +353,17 @@ function getWebviewContent(
               API Authentication Url
               <span slot="start" class="codicon codicon-globe"></span>
               </vscode-text-field>
+              <vscode-text-field size="48" id="proxyServer" name="proxyServer" value="${config.get<string>('proxyServer') || ''}" ${!useAquaPlatform ? 'disabled' : ''}>
+              HTTP Proxy Server
+              <span slot="start" class="codicon codicon-globe"></span>
+              </vscode-text-field>
+              <div style="display: flex; align-items: center; gap: 8px;">
+                <vscode-text-field size="48" id="caCertPath" name="caCertPath" value="${config.get<string>('caCertPath') || ''}" ${!useAquaPlatform ? 'disabled' : ''}>
+                  CA Certificate Path
+                  
+                  <span slot="end" class="codicon codicon-folder-opened" style="cursor: pointer; opacity: ${!useAquaPlatform ? '0.4' : '1'};" id="browse-cert-icon"></span>
+                </vscode-text-field>
+              </div>
             </div>
               <vscode-button id="save-button" appearance="primary" type="submit" >Save</vscode-button>
            </form>
@@ -338,13 +378,31 @@ function getWebviewContent(
             vscode.postMessage({ command: 'openExternalLink', url: target.href });
         }
     });
+
+           window.addEventListener('message', event => {
+                const message = event.data;
+                if (message && message.command) {
+                    switch (message.command) {
+                        case 'updateCaCertPath':
+                            const caCertPathElem = document.getElementById('caCertPath');
+                            if (caCertPathElem) {
+                                caCertPathElem.value = message.path;
+                            }
+                            break;
+                    }
+                }
+           });
+
            document.getElementById('enableAquaPlatform').addEventListener('change', event => {
                 const checked = event.target.checked;
                 document.getElementById('apiKey').disabled = !checked;
                 document.getElementById('apiSecret').disabled = !checked;
                 document.getElementById('aqua-platform-region').disabled = !checked;
                 document.getElementById('customApiUrl').disabled = !checked;
                 document.getElementById('custonAuthUrl').disabled = !checked;
+                document.getElementById('proxyServer').disabled = !checked;
+                document.getElementById('caCertPath').disabled = !checked;
+                document.getElementById('browse-cert-icon').style.opacity = checked ? '1' : '0.4';
                 const regionLabel = document.getElementById('region-label');
                 if (!checked) {
                     regionLabel.classList.add('disabled');
@@ -353,6 +411,15 @@ function getWebviewContent(
                 }
            });
 
+           document.getElementById('browse-cert-icon').addEventListener('click', (event) => {
+                if (!document.getElementById('enableAquaPlatform').checked) {
+                    return;
+                }
+                vscode.postMessage({ 
+                    command: 'browseCaCert'
+                });
+           });
+
            document.getElementById('aqua-platform-region').addEventListener('change', event => {
                 const selectedValue = event.target.value;
                 const customApiUrl = document.getElementById('customApiUrl');
@@ -382,8 +449,10 @@ function getWebviewContent(
                    customAuthUrl = document.getElementById('custonAuthUrl').value;
                } 
 
+               const proxyServer = document.getElementById('proxyServer').value;
+               const caCertPath = document.getElementById('caCertPath').value;
                const enableAquaPlatform = document.getElementById('enableAquaPlatform').checked;
-               vscode.postMessage({ command: 'storeSecrets', apiKey, apiSecret, aquaRegionValue, enableAquaPlatform, customApiUrl, customAuthUrl });
+               vscode.postMessage({ command: 'storeSecrets', apiKey, apiSecret, aquaRegionValue, enableAquaPlatform, customApiUrl, customAuthUrl, proxyServer, caCertPath });
            });
         </script>
      </body>