Versions Compared

Version Old Version 24 New Version 25
Changes made by

Victor Wang

Victor Wang

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

If this is the case, we recommend to do the following:

...

You can build a custom Docker images that embeds your own valid SSL certificates

Make sure you have valid certificates that are able to call api.securetheorem.com

...

Code Block
*   Trying 34.149.167.254:443...
* TCP_NODELAY set
* Connected to api.securetheorem.com (34.149.167.254) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=api.securetheorem.com
*  start date: Jun 19 00:50:43 2024 GMT
*  expire date: Sep 17 01:41:53 2024 GMT
*  subjectAltName: host "api.securetheorem.com" matched cert's "api.securetheorem.com"
*  issuer: C=US; O=Google Trust Services; CN=WR3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x56435e7a8340)
> GET /apis/devops/v1/sast_checks_download_link HTTP/2
> Host: api.securetheorem.com
> user-agent: curl/7.68.0
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 401 
HTTP/2 401 
< content-type: application/json
content-type: application/json
< vary: Accept
vary: Accept
< cache-control: no-store
cache-control: no-store
< x-cloud-trace-context: cd829e04213d00117752acf8010832f9;o=1
x-cloud-trace-context: cd829e04213d00117752acf8010832f9;o=1
< date: Wed, 10 Jul 2024 10:14:41 GMT
date: Wed, 10 Jul 2024 10:14:41 GMT
< server: Google Frontend
server: Google Frontend
< content-length: 29
content-length: 29
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
< via: 1.1 google
via: 1.1 google
< x-xss-protection: 1; mode=block
x-xss-protection: 1; mode=block
< content-security-policy: default-src 'none'; object-src 'none'; frame-ancestors 'none'; report-uri https://o1421491.ingest.sentry.io/api/6767243/security/?sentry_key=e958eee4d16443b4a6674cda8c008ca7
content-security-policy: default-src 'none'; object-src 'none'; frame-ancestors 'none'; report-uri https://o1421491.ingest.sentry.io/api/6767243/security/?sentry_key=e958eee4d16443b4a6674cda8c008ca7
< expires: 0
expires: 0
< x-frame-options: DENY
x-frame-options: DENY
< referrer-policy: origin
referrer-policy: origin
< pragma: no-cache
pragma: no-cache
< x-content-type-options: nosniff
x-content-type-options: nosniff
< strict-transport-security: max-age=31536000; includeSubDomains; preload
strict-transport-security: max-age=31536000; includeSubDomains; preload

< 
* Connection #0 to host api.securetheorem.com left intact
{"title": "401 Unauthorized"}(.venv) victor@vw-datatheorem:~/Workspace/scandal-server/on_prem_scanner$ curl -v https://api.securetheorem.com/apis/devops/v1/sast_checks_download_link
*   Trying 34.149.167.254:443...
* TCP_NODELAY set
* Connected to api.securetheorem.com (34.149.167.254) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=api.securetheorem.com
*  start date: Jun 19 00:50:43 2024 GMT
*  expire date: Sep 17 01:41:53 2024 GMT
*  subjectAltName: host "api.securetheorem.com" matched cert's "api.securetheorem.com"
*  issuer: C=US; O=Google Trust Services; CN=WR3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55e36eefc340)
> GET /apis/devops/v1/sast_checks_download_link HTTP/2
> Host: api.securetheorem.com
> user-agent: curl/7.68.0
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 401 
< content-type: application/json
< vary: Accept
< cache-control: no-store
< x-cloud-trace-context: d93feb47ce573d06071f2b54ce0b87f2;o=1
< date: Wed, 10 Jul 2024 10:16:24 GMT
< server: Google Frontend
< content-length: 29
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
< via: 1.1 google
< x-xss-protection: 1; mode=block
< content-security-policy: default-src 'none'; object-src 'none'; frame-ancestors 'none'; report-uri https://o1421491.ingest.sentry.io/api/6767243/security/?sentry_key=e958eee4d16443b4a6674cda8c008ca7
< expires: 0
< x-frame-options: DENY
< referrer-policy: origin
< pragma: no-cache
< x-content-type-options: nosniff
< strict-transport-security: max-age=31536000; includeSubDomains; preload
< 
* Connection #0 to host api.securetheorem.com left intact
{"title": "401 Unauthorized"}

In this example, we can see that the certificates at /etc/ssl/certs/ca-certificates.crt (location may vary on your machine)

Note: the unauthorized response is expected, we are just checking the SSL verification here

Since the Data Theorem SAST scanner is running inside a Docker container, which may you have the certificates that can make valid calls for your proxy, we can mount the host machine’s SSL certificates directory in the Docker container and add a parameter to let the scanner know where to look for SSL certificates.
This can be done like this:

...

from the machine that is running the Data Theorem On-Prem Scanner

The Dockerfile would look like this

Code Block
FROM us-central1-docker.pkg.dev/prod-scandal-us/datatheorem-sast/datatheorem-sast:latest

# Copy SSL certificates to add
COPY --from=<YOUR_SOURCE> <PATH_TO_YOUR_SSL_CERTS> /usr/share/ca-certificates/custom

# Add certificates to /etc/ca-certificates.conf
RUN for crt in /usr/share/ca-certificates/custom/*.crt; do \
        echo "Adding $crt" && echo "custom/$(basename "$crt")" >> /etc/ca-certificates.conf; \
    done

# Update bundled CA certificates at /etc/ssl/certs/ca-certificates.crt
RUN update-ca-certificates
ENV DT_SAST_PATH_TO_SSL_CERTS_FILE=/etc/ssl/certs/ca-certificates.crt

  • If this is not working, please contact support@datatheorem.com for help