From 01efdd8087aa68fb8e3c73147f0a7f21045ba5d1 Mon Sep 17 00:00:00 2001
From: Gautam <>
Date: Mon, 16 Dec 2019 11:45:53 -0500
Subject: [PATCH] insecure TLS verify added for http requests

---
 Makefile                               |  4 ++--
 pkg/annotator/artifactory_annotator.go |  7 ++++++-
 pkg/annotator/quay_annotator.go        | 27 +++++++++++++++-----------
 pkg/utils/ext_requests.go              | 11 +++++++++--
 4 files changed, 33 insertions(+), 16 deletions(-)

diff --git a/Makefile b/Makefile
index ff3bbf4c..ffcd3135 100644
--- a/Makefile
+++ b/Makefile
@@ -30,7 +30,7 @@ $(PERCEIVERS):
 ifeq ($(MAKECMDGOALS),${LOCAL_TARGET})
 	cd cmd/$@; CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o $@
 else
-	docker run --rm -e CGO_ENABLED=0 -e GOOS=linux -e GOARCH=amd64 -v "${CURRENT_DIR}":/go/src/github.com/blackducksoftware/perceivers -w /go/src/github.com/blackducksoftware/perceivers/cmd/$@ golang:1.9 go build -o $@
+	docker run --rm -e CGO_ENABLED=0 -e GOOS=linux -e GOARCH=amd64 -e GO111MODULE=off -v "${CURRENT_DIR}":/go/src/github.com/blackducksoftware/perceivers -w /go/src/github.com/blackducksoftware/perceivers/cmd/$@ golang:1.13 go build -o $@
 endif
 	cp cmd/$@/$@ ${OUTDIR}
 
@@ -41,7 +41,7 @@ push: container
 	$(foreach p,${PERCEIVERS},$(PREFIX_CMD) docker $(DOCKER_OPTS) push $(REGISTRY)/$(PREFIX)${p}:latest;)
 
 test:
-	docker run --rm -e CGO_ENABLED=0 -e GOOS=linux -e GOARCH=amd64 -v "${CURRENT_DIR}":/go/src/github.com/blackducksoftware/perceivers -w /go/src/github.com/blackducksoftware/perceivers golang:1.9 go test ./pkg/...
+	docker run --rm -e CGO_ENABLED=0 -e GOOS=linux -e GOARCH=amd64 -e GO111MODULE=off -v "${CURRENT_DIR}":/go/src/github.com/blackducksoftware/perceivers -w /go/src/github.com/blackducksoftware/perceivers golang:1.13 go test ./pkg/...
 
 clean:
 	rm -rf ${OUTDIR}
diff --git a/pkg/annotator/artifactory_annotator.go b/pkg/annotator/artifactory_annotator.go
index a46b0de9..ecc46c86 100644
--- a/pkg/annotator/artifactory_annotator.go
+++ b/pkg/annotator/artifactory_annotator.go
@@ -22,6 +22,7 @@ under the License.
 package annotator
 
 import (
+	"crypto/tls"
 	"encoding/json"
 	"fmt"
 	"net/http"
@@ -46,13 +47,17 @@ const (
 
 // ArtifactoryAnnotator handles annotating artifactory images with vulnerability and policy issues
 type ArtifactoryAnnotator struct {
+	client         *http.Client
 	scanResultsURL string
 	registryAuths  []*utils.RegistryAuth
 }
 
 // NewArtifactoryAnnotator creates a new ArtifactoryAnnotator object
 func NewArtifactoryAnnotator(perceptorURL string, registryAuths []*utils.RegistryAuth) *ArtifactoryAnnotator {
+	tr := &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true}}
+	client := &http.Client{Transport: tr}
 	return &ArtifactoryAnnotator{
+		client:         client,
 		scanResultsURL: fmt.Sprintf("%s/%s", perceptorURL, perceptorapi.ScanResultsPath),
 		registryAuths:  registryAuths,
 	}
@@ -167,7 +172,7 @@ func (ia *ArtifactoryAnnotator) AnnotateImage(uri string, im *perceptorapi.Scann
 	}
 	req.SetBasicAuth(cred.User, cred.Password)
 
-	resp, err := http.DefaultClient.Do(req)
+	resp, err := ia.client.Do(req)
 	if err != nil {
 		log.Errorf("Annotator: Error in sending request %e", err)
 		return
diff --git a/pkg/annotator/quay_annotator.go b/pkg/annotator/quay_annotator.go
index 2da67e7c..55608144 100644
--- a/pkg/annotator/quay_annotator.go
+++ b/pkg/annotator/quay_annotator.go
@@ -23,6 +23,7 @@ package annotator
 
 import (
 	"bytes"
+	"crypto/tls"
 	"encoding/json"
 	"fmt"
 	"net/http"
@@ -99,13 +100,17 @@ const (
 
 // QuayAnnotator handles annotating quay images with vulnerability and policy issues
 type QuayAnnotator struct {
+	client         *http.Client
 	scanResultsURL string
 	registryAuths  []*utils.RegistryAuth
 }
 
 // NewQuayAnnotator creates a new QuayAnnotator object
 func NewQuayAnnotator(perceptorURL string, registryAuths []*utils.RegistryAuth) *QuayAnnotator {
+	tr := &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true}}
+	client := &http.Client{Transport: tr}
 	return &QuayAnnotator{
+		client:         client,
 		scanResultsURL: fmt.Sprintf("%s/%s", perceptorURL, perceptorapi.ScanResultsPath),
 		registryAuths:  registryAuths,
 	}
@@ -172,7 +177,7 @@ func (qa *QuayAnnotator) addAnnotationsToImages(results perceptorapi.ScanResults
 	imgs := 0
 
 	for _, registry := range qa.registryAuths {
-		auth, err := PingQuayServer("https://"+registry.URL, registry.User, registry.Password, registry.Token)
+		auth, err := qa.PingQuayServer("https://"+registry.URL, registry.User, registry.Password, registry.Token)
 
 		if err != nil {
 			log.Debugf("Annotator: URL %s either not a valid quay repository or incorrect token: %e", registry.URL, err)
@@ -247,14 +252,14 @@ func (qa *QuayAnnotator) UpdateAnnotation(url string, labelKey string, newValue
 
 	for _, label := range labelList.Labels {
 		deleteURL := fmt.Sprintf("%s/%s", url, label.ID)
-		err = DeleteQuayLabel(deleteURL, quayToken, label.ID)
+		err = qa.DeleteQuayLabel(deleteURL, quayToken, label.ID)
 		if err != nil {
 			log.Errorf("Error in deleting label %s at URL %s: %e", label.Key, deleteURL, err)
 			log.Errorf("Images may contain duplicate labels!")
 		}
 	}
 
-	err = AddQuayLabel(url, quayToken, labelKey, newValue)
+	err = qa.AddQuayLabel(url, quayToken, labelKey, newValue)
 	if err != nil {
 		log.Errorf("Error in adding label %s at URL %s after deleting: %e", labelKey, url, err)
 		return
@@ -266,7 +271,7 @@ func (qa *QuayAnnotator) UpdateAnnotation(url string, labelKey string, newValue
 
 // PingQuayServer takes in the specified URL with access token and checks weather
 // it's a valid token for quay by pinging the server
-func PingQuayServer(url string, user string, password string, accessToken string) (*utils.RegistryAuth, error) {
+func (qa *QuayAnnotator) PingQuayServer(url string, user string, password string, accessToken string) (*utils.RegistryAuth, error) {
 	url = fmt.Sprintf("%s/api/v1/user", url)
 	req, err := http.NewRequest(http.MethodGet, url, nil)
 	if err != nil {
@@ -275,9 +280,9 @@ func PingQuayServer(url string, user string, password string, accessToken string
 
 	req.Header.Set("Content-Type", "application/json")
 	req.Header.Set("Authorization", "Bearer "+accessToken)
-	resp, err := http.DefaultClient.Do(req)
+	resp, err := qa.client.Do(req)
 	if err != nil {
-		return nil, fmt.Errorf("Error in pinging quay server %e", err)
+		return nil, fmt.Errorf("Error in pinging quay server %+v, response: %+v", err, resp)
 	}
 
 	defer resp.Body.Close()
@@ -287,7 +292,7 @@ func PingQuayServer(url string, user string, password string, accessToken string
 			url = strings.Replace(url, "https://", "http://", -1)
 			// Reset to baseURL
 			url = strings.Replace(url, "/api/v1/user", "", -1)
-			return PingQuayServer(url, user, password, accessToken)
+			return qa.PingQuayServer(url, user, password, accessToken)
 		}
 
 		return nil, fmt.Errorf("Error in pinging quay server supposed to get %d response code got %d", http.StatusOK, resp.StatusCode)
@@ -299,7 +304,7 @@ func PingQuayServer(url string, user string, password string, accessToken string
 }
 
 // AddQuayLabel takes the specific Quay URL and adds the properties/annotations given by BD
-func AddQuayLabel(url string, accessToken string, labelKey string, labelValue string) error {
+func (qa *QuayAnnotator) AddQuayLabel(url string, accessToken string, labelKey string, labelValue string) error {
 	quayLabel := QuayNewLabel{MediaType: "text/plain", Value: labelValue, Key: labelKey}
 	buffer := new(bytes.Buffer)
 	json.NewEncoder(buffer).Encode(quayLabel)
@@ -310,7 +315,7 @@ func AddQuayLabel(url string, accessToken string, labelKey string, labelValue st
 
 	req.Header.Set("Content-Type", "application/json")
 	req.Header.Set("Authorization", "Bearer "+accessToken)
-	resp, err := http.DefaultClient.Do(req)
+	resp, err := qa.client.Do(req)
 	if err != nil {
 		return fmt.Errorf("Error in adding label %e", err)
 	}
@@ -323,7 +328,7 @@ func AddQuayLabel(url string, accessToken string, labelKey string, labelValue st
 }
 
 // DeleteQuayLabel takes the specific Quay URL and deletes the properties/annotations given by BD
-func DeleteQuayLabel(url string, accessToken string, labelID string) error {
+func (qa *QuayAnnotator) DeleteQuayLabel(url string, accessToken string, labelID string) error {
 	req, err := http.NewRequest(http.MethodDelete, url, nil)
 	if err != nil {
 		return fmt.Errorf("Error in deleting label request %e", err)
@@ -331,7 +336,7 @@ func DeleteQuayLabel(url string, accessToken string, labelID string) error {
 
 	req.Header.Set("Content-Type", "application/json")
 	req.Header.Set("Authorization", "Bearer "+accessToken)
-	resp, err := http.DefaultClient.Do(req)
+	resp, err := qa.client.Do(req)
 	if err != nil {
 		return fmt.Errorf("Error in deleting label %e", err)
 	}
diff --git a/pkg/utils/ext_requests.go b/pkg/utils/ext_requests.go
index 5f001f58..51ffeec3 100644
--- a/pkg/utils/ext_requests.go
+++ b/pkg/utils/ext_requests.go
@@ -22,6 +22,7 @@ under the License.
 package utils
 
 import (
+	"crypto/tls"
 	"encoding/json"
 	"fmt"
 	"net/http"
@@ -40,6 +41,9 @@ type RegistryAuth struct {
 // GetResourceOfType takes in the specified URL with credentials and
 // tries to decode returning json to specified interface
 func GetResourceOfType(url string, cred *RegistryAuth, bearerToken string, target interface{}) error {
+	tr := &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true}}
+	client := &http.Client{Transport: tr}
+
 	req, err := http.NewRequest(http.MethodGet, url, nil)
 	if err != nil {
 		return fmt.Errorf("Error in creating get request %e at url %s", err, url)
@@ -54,7 +58,7 @@ func GetResourceOfType(url string, cred *RegistryAuth, bearerToken string, targe
 		req.Header.Set("Authorization", "Bearer "+bearerToken)
 	}
 
-	resp, err := http.DefaultClient.Do(req)
+	resp, err := client.Do(req)
 	if err != nil {
 		return err
 	}
@@ -65,13 +69,16 @@ func GetResourceOfType(url string, cred *RegistryAuth, bearerToken string, targe
 // PingArtifactoryServer takes in the specified URL with username & password and checks weather
 // it's a valid login for artifactory by pinging the server with various options and returns the correct URL
 func PingArtifactoryServer(url string, username string, password string) (*RegistryAuth, error) {
+	tr := &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true}}
+	client := &http.Client{Transport: tr}
+
 	url = fmt.Sprintf("%s/api/system/ping", url)
 	req, err := http.NewRequest(http.MethodGet, url, nil)
 	if err != nil {
 		return nil, fmt.Errorf("Error in pinging artifactory server %e", err)
 	}
 	req.SetBasicAuth(username, password)
-	resp, err := http.DefaultClient.Do(req)
+	resp, err := client.Do(req)
 	if err != nil {
 		return nil, err
 	}