Merge branch '212342-java-root-certificates' into 'master'v3.7.4

Pull packages from a custom mvn repository with a custom root certificate.

See merge request gitlab-org/security-products/license-management!139

10 files changed, 90 insertions, 6 deletions

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index c836f02..e558a26 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -92,9 +92,9 @@ version:
 code_quality:
   before_script:
     - rm .rubocop.yml
+  services:
+    - docker:stable-dind
 
 license_scanning:
   image:
     name: $TMP_IMAGE
-  services:
-    - docker:stable-dind
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 013bb96..1bf3445 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # GitLab License management changelog
 
+## v3.7.4
+
+- Install Java key store when `ADDITIONAL_CA_CERT_BUNDLE` is provided. (!139)
+
 ## v3.7.3
 
 - Add `--local` option to `gem install` step to speed up initial scan time. (!135)
diff --git a/Gemfile.lock b/Gemfile.lock
index 54708a9..5721e1b 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    license-management (3.7.3)
+    license-management (3.7.4)
       license_finder (~> 6.0.0)
       spandx (~> 0.1)
 
diff --git a/lib/license/management/shell.rb b/lib/license/management/shell.rb
index 6720460..f16537d 100644
--- a/lib/license/management/shell.rb
+++ b/lib/license/management/shell.rb
@@ -42,6 +42,7 @@ module License
         custom_certificate_path.write(certificate)
         execute("openssl x509 -in #{custom_certificate_path} -text -noout")
         execute('update-ca-certificates -v')
+        execute("keytool -importcert -file #{custom_certificate_path} -trustcacerts -noprompt")
       end
 
       def present?(item)
diff --git a/lib/license/management/version.rb b/lib/license/management/version.rb
index c00ae73..bc5d85c 100644
--- a/lib/license/management/version.rb
+++ b/lib/license/management/version.rb
@@ -2,6 +2,6 @@
 
 module License
   module Management
-    VERSION = '3.7.3'
+    VERSION = '3.7.4'
   end
 end
diff --git a/spec/fixtures/java/maven.crt b/spec/fixtures/java/maven.crt
new file mode 100644
index 0000000..fe9fcf7
--- /dev/null
+++ b/spec/fixtures/java/maven.crt
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIID7jCCAtagAwIBAgIJAI21kFz1PLI3MA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD
+VQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQg
+V2lkZ2l0cyBQdHkgTHRkMUQwQgYDVQQDDDtnaXRsYWItYWlyZ2FwLWp2bS51cy13
+ZXN0MS1iLmMuZ3JvdXAtc2VjdXJlLWE4OWZlNy5pbnRlcm5hbDAeFw0yMDA0MTcw
+NjE4NTFaFw0yMTA0MTcwNjE4NTFaMIGLMQswCQYDVQQGEwJBVTETMBEGA1UECAwK
+U29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMUQw
+QgYDVQQDDDtnaXRsYWItYWlyZ2FwLWp2bS51cy13ZXN0MS1iLmMuZ3JvdXAtc2Vj
+dXJlLWE4OWZlNy5pbnRlcm5hbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAK7lgNeL7Z6pj/vNLDw0QWuv6VKhY6jqd6Rdd03FJ1kG6pG4iUREhaH6UKjF
+IYBFQFHtH+WJV78nU3D5WQayAhKxPJMPeLfVmeBxO+3rFtVCylgkytqJEP4fEkwP
+lOyiUWVa6pcRkdijE5Y9pi+7buagZMZoCyQITiVOgqMsTwuxUDmuhDZQx8cmyfiq
+zV7STaKVYx4h7P7p5cOhXaMPg7mKbCEIjrRfxcA4BZTlFOt+/8uyqQDfTXarl4gp
+buv/zSzZtrFbsyc0MmTY40foKkMuTKHwbaVjoRqiqYzGyEhBuSYdaNQMTHWAGl4e
+Ts3dIC8ysmEyWyxsUdBYhkHoi0ECAwEAAaNTMFEwHQYDVR0OBBYEFDC4YeQ2AxrR
+3aXK63Y4+KWbdq0tMB8GA1UdIwQYMBaAFDC4YeQ2AxrR3aXK63Y4+KWbdq0tMA8G
+A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAF8D6h0e8ogZQrX+YRDc
+FMvz2vYv6Oo2cLG5u5YSX1bJeOQHcCmmAvYBA+Pqjomxw9csRmktcy69hxIbvccn
+m7jCF3hasOoCivM5ifSmdXSBqmnmaQUErEhF+g9VIl696dR4H+47ewTmDc+2uzvP
+FFEfV/gC7QLIhMlpYJUn2/y4SgPjp08zJqulDDZL++srUqFktfiKyehriQXBn1M8
+JsW9G0at1fufKpFIgQWve0QtE1haBF+g6SGXQ/+guZnw5stUJ7ksFheJu4WsEPIx
+vtRkKZ60p/Hpq7tmO5UG5fKK1tuyBSj3vxewBBYtgH23h7/c7KxoeDIOnyNRshoA
+7Dg=
+-----END CERTIFICATE-----
diff --git a/spec/fixtures/java/pom-single.xml.erb b/spec/fixtures/java/pom-single.xml.erb
new file mode 100644
index 0000000..897b3a6
--- /dev/null
+++ b/spec/fixtures/java/pom-single.xml.erb
@@ -0,0 +1,27 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+  <groupId>com.gitlab.secure</groupId>
+  <artifactId>license-scanning</artifactId>
+  <packaging>jar</packaging>
+  <version>1.0-SNAPSHOT</version>
+  <name>example</name>
+  <dependencies>
+    <dependency>
+      <groupId><%= group_id %></groupId>
+      <artifactId><%= artifact_id %></artifactId>
+      <version><%= version %></version>
+    </dependency>
+  </dependencies>
+  <repositories>
+    <repository>
+      <id><%= repository_id %></id>
+      <url><%= repository_url %></url>
+    </repository>
+  </repositories>
+  <distributionManagement>
+    <repository>
+      <id><%= repository_id %></id>
+      <url><%= repository_url %></url>
+    </repository>
+  </distributionManagement>
+</project>
diff --git a/spec/integration/java/maven_spec.rb b/spec/integration/java/maven_spec.rb
index 92444e8..f14e566 100644
--- a/spec/integration/java/maven_spec.rb
+++ b/spec/integration/java/maven_spec.rb
@@ -13,7 +13,8 @@ RSpec.describe "maven" do
       })
 
       expect(report).to match_schema(version: '2.0')
-      expect(report[:dependencies]).to match_array([{ name: 'mvn-spike', url: '', description: '', paths: ['.'], licenses: ['MIT'] }])
+      expect(report.dependency_names).to match_array(['mvn-spike'])
+      expect(report.licenses_for('mvn-spike')).to match_array(['MIT'])
     end
 
     it 'downloads packages from by using a custom `settings.xml`' do
@@ -78,4 +79,25 @@ RSpec.describe "maven" do
       expect(report.dependency_names).not_to include('junit')
     end
   end
+
+  context "when connecting to a custom package registry with a self signed certificate" do
+    let(:bundle) { fixture_file_content('java/maven.crt') }
+    let(:report) { runner.scan(env: { 'ADDITIONAL_CA_CERT_BUNDLE' => bundle, 'LOG_LEVEL' => 'debug' }) }
+
+    before do
+      runner.add_file('pom.xml') do
+        fixture_file_content('java/pom-single.xml.erb', {
+          group_id: 'com.fasterxml.jackson.core',
+          artifact_id: 'jackson-core',
+          version: '2.10.0',
+          repository_id: 'custom',
+          repository_url: "https://#{private_maven_host}/artifactory/mvn-cache"
+        })
+      end
+    end
+
+    specify { expect(report).to match_schema(version: '2.0') }
+    specify { expect(report.dependency_names).to match_array(['jackson-core']) }
+    specify { expect(report.licenses_for('jackson-core')).to match_array(['Apache-2.0']) }
+  end
 end
diff --git a/spec/support/fixture_file_helper.rb b/spec/support/fixture_file_helper.rb
index 5a9599f..313ee35 100644
--- a/spec/support/fixture_file_helper.rb
+++ b/spec/support/fixture_file_helper.rb
@@ -5,7 +5,7 @@ module FixtureFileHelper
 
     ERB
       .new(content)
-      .result(OpenStruct.new(data).send(:binding))
+      .result(OpenStruct.new(data).instance_eval { binding })
   end
 
   def fixture_file(path)
diff --git a/spec/support/integration_test_helper.rb b/spec/support/integration_test_helper.rb
index 52693f2..b25297c 100644
--- a/spec/support/integration_test_helper.rb
+++ b/spec/support/integration_test_helper.rb
@@ -92,6 +92,12 @@ module IntegrationTestHelper
     end
   end
 
+  def private_maven_host
+    @private_maven_host ||= ENV.fetch('PRIVATE_MAVEN_HOST').tap do |host|
+      add_host(host, ENV.fetch('PRIVATE_MAVEN_IP'))
+    end
+  end
+
   def runner(*args)
     @runner ||= IntegrationTestRunner.new(*args)
   end