From a994a46867cedea961d0bd5979f9431e9fee98e6 Mon Sep 17 00:00:00 2001 From: andrian-sevastyanov <139918786+andrian-sevastyanov@users.noreply.github.com> Date: Mon, 29 Jul 2024 18:28:07 -0600 Subject: [PATCH] fix (ToolsApiScannerInstaller): Update scan-cli trust store with each scan run (#435) Update scan-cli trust store with each scan run --------- Co-authored-by: shanty --- .../command/ToolsApiScannerInstaller.java | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/src/main/java/com/synopsys/integration/blackduck/codelocation/signaturescanner/command/ToolsApiScannerInstaller.java b/src/main/java/com/synopsys/integration/blackduck/codelocation/signaturescanner/command/ToolsApiScannerInstaller.java index 253426d4e..520f88da5 100644 --- a/src/main/java/com/synopsys/integration/blackduck/codelocation/signaturescanner/command/ToolsApiScannerInstaller.java +++ b/src/main/java/com/synopsys/integration/blackduck/codelocation/signaturescanner/command/ToolsApiScannerInstaller.java @@ -32,6 +32,7 @@ import com.synopsys.integration.util.OperatingSystemType; import javax.net.ssl.HttpsURLConnection; +import javax.net.ssl.SSLHandshakeException; public class ToolsApiScannerInstaller extends ApiScannerInstaller { // The tools API for downloading the scan-cli is called on by Detect for BD versions 2024.7.0 or newer @@ -199,16 +200,17 @@ protected String downloadSignatureScanner(File scannerExpansionDirectory, HttpUr scanExecutable.setExecutable(true); - Certificate certificate = connectAndGetServerCertificate(downloadUrl); - if (certificate != null) { - keyStoreHelper.updateKeyStoreWithServerCertificate(downloadUrl.url().getHost(), certificate, scanPaths.getPathToCacerts()); - } + connectAndGetServerCertificate(downloadUrl, scanPaths); logger.info("Black Duck Signature Scanner downloaded successfully."); return latestScannerVersion; } else if (response.getStatusCode() == 304) { // If no need to update, response is HTTP 304 Not modified logger.debug("Locally installed Signature Scanner version is up to date - skipping download."); + + ScanPaths scanPaths = scanPathsUtility.searchForScanPaths(scannerExpansionDirectory.getParentFile()); + connectAndGetServerCertificate(downloadUrl, scanPaths); + return localScannerVersion; } else { logger.debug("Unable to download Signature Scanner. Response code: " + response.getStatusCode() + " " + response.getStatusMessage()); @@ -217,7 +219,7 @@ protected String downloadSignatureScanner(File scannerExpansionDirectory, HttpUr } } - private Certificate connectAndGetServerCertificate(HttpUrl httpsServer) { + private void connectAndGetServerCertificate(HttpUrl httpsServer, ScanPaths scanPaths) { HttpsURLConnection httpsConnection = null; try { httpsConnection = (HttpsURLConnection) httpsServer.url().openConnection(); @@ -225,13 +227,14 @@ private Certificate connectAndGetServerCertificate(HttpUrl httpsServer) { Certificate[] certificates = httpsConnection.getServerCertificates(); httpsConnection.disconnect(); if (certificates.length > 0) { - return certificates[0]; + keyStoreHelper.updateKeyStoreWithServerCertificate(httpsServer.url().getHost(), certificates[0], scanPaths.getPathToCacerts()); } else { throw new IOException(); } + } catch (SSLHandshakeException e) { + logger.warn("Automatically trusting server certificates - not recommended for production use."); } catch (IOException e) { logger.errorAndDebug("Could not get Black Duck server certificate which is required for managing the local keystore - communicating to the server will have to be configured manually: " + e.getMessage(), e); - return null; } } }