Add an option to ignore invalid certificates when cloning Git repos

[ggbce]

I would like to use NoseyParker to scan or git projects on our internal GitLab server where it is on LAN area and use also an internal enterprise certificate. When I launch a scan I got this error:

fatal: unable to get access to 'https://myserver.local'/test/project1' : Server certificate verification failed. CAfile: non CRLfile: none

---

If I use my web browser, it work fine. Yes, Firefox or Chrome give me a warning when I try to access it from a Linux machine where is not a Windows member of the domain, but I can accept the unknown certificate. Does it possible to improve to accept unknown certificates like --ignore-invalidcertificate ?

[bradlarsen]

@ggbce are you running Nosey Parker using the Docker image?

[bradlarsen]

A workaround: clone the Git repos you want to scan separately, outside of Nosey Parker, and then scan the local clones.

[ggbce]

No. I run the compiled application (v0.16.0 x86_64) released on December 6th on Kali Linux.

…

___________________________ Avis de confidentialité : Les renseignements contenus dans le présent courriel incluant les pièces jointes peuvent contenir des renseignements confidentiels ou protégés en vertu de la loi ou visés par le secret professionnel. Si vous n'êtes pas le destinataire prévu, veuillez prendre note que la divulgation, la distribution ou la reproduction de cette communication est strictement interdite. Si vous avez reçu cette communication par erreur, veuillez immédiatement en avertir l'expéditeur par téléphone ou par courriel et supprimer la communication de votre appareil fixe ou mobile, sans en faire de copie.

[bradlarsen]

If I understand right, https://myserver.local has a self-signed certificate, or something like that?

What happens if you try a regular git clone 'https://myserver.local/test/project1' from the command line? You probably need to do something like GIT_SSL_NO_VERIFY=true git clone 'https://myserver.local/test/project1' to make it successful?

[munntjlx]

What does the full commandline invocation look like?

[ggbce]

Like @bradlarsen said. It's to talk with a local server (self-signed or internal authority certification).

./noseyparker scan --datastore project1 --git-url https://myserver.mydomain.local/test/project1

If I would like to make a "git" command. I didn't do it normally from a Linux machine. All dev teams use their Windows machines where they are on the domain. But for the purpose and find how to allow NoseyParker to make the scan from a machine where the certificate is consderated not valid... If I try to clone I should use:

git -c http.sslVerify=false clone "https://myserver.mydomain.local/test/project1"

[ggbce]

NOTE:
The suggestion to clone first to create a local copy, then scan locally may work... but is not very productive. Imagine a situation where you have a ton of projects to validate. Copying all this data, analyze it, then delete it.

My goal is to automate the scan on periodic base to ensure a high level of security.

[bradlarsen]

The suggestion to clone first to create a local copy, then scan locally may work... but is not very productive. Imagine a situation where you have a ton of projects to validate. Copying all this data, analyze it, then delete it.

Indeed! I left that comment as a workaround — the idea was to provide a path that makes what you're trying to do possible, until Nosey Parker has more suitable built-in support for your use case.