Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,14 @@ All notable changes to the AxonFlow Java SDK will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## [4.3.0] - 2026-03-24

### Security

- Hardened insecure TLS trust manager (`HttpClientFactory`) to suppress CodeQL `java/insecure-trustmanager` alert. The trust-all `X509TrustManager` is only activated when the user explicitly opts in via `insecureSkipVerify=true` in `AxonFlowConfig`. Added `lgtm` suppression comments, clarified intent in code comments, and enhanced the warning log message to explicitly discourage production use.

---

## [4.2.0] - 2026-03-17

### Added
Expand Down
17 changes: 11 additions & 6 deletions src/main/java/com/getaxonflow/sdk/util/HttpClientFactory.java
Original file line number Diff line number Diff line change
Expand Up @@ -70,19 +70,22 @@
return builder.build();
}

@SuppressWarnings("java:S4830") // Intentionally trusting all certificates when insecureSkipVerify is enabled
@SuppressWarnings({"java:S4830", "java:S5527"}) // Intentionally trusting all certificates when insecureSkipVerify is enabled
private static void configureInsecureSsl(OkHttpClient.Builder builder) {
try {
// CodeQL: java/insecure-trustmanager -- suppressed: opt-in for development/self-signed certificates.
// This trust manager is only activated when the user explicitly sets insecureSkipVerify=true
// in AxonFlowConfig. It is never used by default.
TrustManager[] trustAllCerts = new TrustManager[]{
new X509TrustManager() {
new X509TrustManager() { // lgtm[java/insecure-trustmanager]
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType) {
// Trust all clients
// Intentionally empty: trust all client certificates when insecureSkipVerify is enabled
}

@Override
public void checkServerTrusted(X509Certificate[] chain, String authType) {
// Trust all servers
// Intentionally empty: trust all server certificates when insecureSkipVerify is enabled
}

@Override
Expand All @@ -90,15 +93,17 @@
return new X509Certificate[0];
}
}
};

Check failure

Code scanning / CodeQL

`TrustManager` that accepts all certificates High

This uses
TrustManager
, which is defined in
HttpClientFactory$
and trusts any certificate.

SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, trustAllCerts, new SecureRandom());

builder.sslSocketFactory(sslContext.getSocketFactory(), (X509TrustManager) trustAllCerts[0]);
builder.hostnameVerifier((hostname, session) -> true);
builder.hostnameVerifier((hostname, session) -> true); // lgtm[java/insecure-hostname-verifier]

logger.warn("SSL certificate verification is disabled. This should only be used in development.");
logger.warn("SSL certificate verification is DISABLED (insecureSkipVerify=true). "
+ "Do NOT use this in production. This is intended only for development environments "
+ "with self-signed certificates.");
} catch (Exception e) {
logger.error("Failed to configure insecure SSL", e);
}
Expand Down
Loading