-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Use Apache HTTPClient for downloads of public resources #6949
Conversation
…thenticating proxy
…clude KEV downloads
…o to the DownloaderIT
utils/src/main/java/org/owasp/dependencycheck/utils/Downloader.java
Dismissed
Show resolved
Hide resolved
@aikebah tests are passing - should this still be a draft PR? |
@jeremylong All code as committed I consider final, so if you're eager to get a release out it would be fine to remove draft status and get 'most usages replaced' as feature for 11.0 The draft status is not-yet removed as there are a few analyzers that don't use the HTTPClient yet - Nexus and Artifactory IIRC, which could also be postponed for a later feature-update I guess. |
Confirmed... only NexusSearch and ArtifactorySearch are pending. As both are typically solutions within the enterprise datacenter not requiring proxy access I think it would be fine to finish up this part and leave the remainder phase-out of URLConnectionFactory for a later feature-release in the 11.x series. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Thanks for the work on this PR! It looks like you have completed the groundwork for the remaining two analyzers (as seen in the |
Was a nice exercise for part of my holiday. NexusSearch currently cooking locally on lower velocity besides my daytime job. |
Fixes Issue #6800
Description of Change
Swap out use of RAW JDK http(s) handling by Apache HTTP-Client in order to also take into account the
https.proxyUser
andhttps.proxyPassword
JAVA_TOOL_OPTIONsAdd a resources to document and support manual testing of HTTP-Basic Authenticating proxy usage.
Also lays the groundwork for resolving #5387 by adding Settings-keys for the credentials of a mirrored HostedSuppressions- and KnownExploitedVulnerabilities-file. CLI instances initialized from a custom properties file could already exploit this, but activation for all integrations is left as an excercise in the context of #5387.
For now only a draft, as there is still some direct raw usage left behind in the codebase that I also intend to replace by HTTPClient. However I think now is a good time to already collect feedback on the initial coding for the replacement of the Downloader class
Have test cases been added to cover the new functionality?
Not yet, intend to evaluate and potentially extend the existing testcases that already partially test the functionality