From 196b029d526474b6e86551179c9ec39c3aa66b68 Mon Sep 17 00:00:00 2001 From: Stefan Kalscheuer Date: Tue, 22 Oct 2024 21:05:55 +0200 Subject: [PATCH] fix: do not set legacy proxy from maven or env (#7072) The Apache HTTPClient based downloader supports http(s).proxy* properties, so we do not need to use legacy logic. In legeacy mode http.nonProxyHosts is not honored, so setting both leads to issues due to missing proxy selectors. Omit populating legacy properties resolves this issue. In addition we have to move the password decryption from Maven settings up, so it actually works. Signed-off-by: Stefan Kalscheuer --- .../maven/BaseDependencyCheckMojo.java | 45 ++++--------------- 1 file changed, 8 insertions(+), 37 deletions(-) diff --git a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java index a1def01981..c9ccbb9574 100644 --- a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java +++ b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java @@ -2212,46 +2212,17 @@ protected void populateSettings() { if (mavenProxy.getUsername() != null && !mavenProxy.getUsername().isEmpty()) { System.setProperty("https.proxyUser", mavenProxy.getUsername()); } - if (mavenProxy.getPassword() != null && !mavenProxy.getPassword().isEmpty()) { - System.setProperty("https.proxyPassword", mavenProxy.getPassword()); - } - if (mavenProxy.getNonProxyHosts() != null && !mavenProxy.getNonProxyHosts().isEmpty()) { - System.setProperty("http.nonProxyHosts", mavenProxy.getNonProxyHosts()); - } - } + String password = mavenProxy.getPassword(); + if (password != null && !password.isEmpty()) { + try { + password = decryptPasswordFromSettings(password); + } catch (SecDispatcherException ex) { + password = handleSecDispatcherException("proxy", mavenProxy.getId(), password, ex); + } - settings.setString(Settings.KEYS.PROXY_SERVER, mavenProxy.getHost()); - settings.setString(Settings.KEYS.PROXY_PORT, Integer.toString(mavenProxy.getPort())); - final String userName = mavenProxy.getUsername(); - String password = mavenProxy.getPassword(); - if (password != null && !password.isEmpty()) { - if (settings.getBoolean(Settings.KEYS.PROXY_DISABLE_SCHEMAS, true)) { - System.setProperty("jdk.http.auth.tunneling.disabledSchemes", ""); - } - try { - password = decryptPasswordFromSettings(password); - } catch (SecDispatcherException ex) { - password = handleSecDispatcherException("proxy", mavenProxy.getId(), password, ex); + System.setProperty("https.proxyPassword", password); } } - settings.setStringIfNotNull(Settings.KEYS.PROXY_USERNAME, userName); - settings.setStringIfNotNull(Settings.KEYS.PROXY_PASSWORD, password); - settings.setStringIfNotNull(Settings.KEYS.PROXY_NON_PROXY_HOSTS, mavenProxy.getNonProxyHosts()); - } else if (System.getProperty("http.proxyHost") != null) { - //else use standard Java system properties - settings.setString(Settings.KEYS.PROXY_SERVER, System.getProperty("http.proxyHost", "")); - if (System.getProperty("http.proxyPort") != null) { - settings.setString(Settings.KEYS.PROXY_PORT, System.getProperty("http.proxyPort")); - } - if (System.getProperty("http.proxyUser") != null) { - settings.setString(Settings.KEYS.PROXY_USERNAME, System.getProperty("http.proxyUser")); - } - if (System.getProperty("http.proxyPassword") != null) { - settings.setString(Settings.KEYS.PROXY_PASSWORD, System.getProperty("http.proxyPassword")); - } - if (System.getProperty("http.nonProxyHosts") != null) { - settings.setString(Settings.KEYS.PROXY_NON_PROXY_HOSTS, System.getProperty("http.nonProxyHosts")); - } } else if (this.proxy != null && this.proxy.getHost() != null) { // or use configured settings.setString(Settings.KEYS.PROXY_SERVER, this.proxy.getHost());