feat: add flag to disable ssl verify

main.go

@@ -78,6 +78,7 @@ var (
 	includeDetectors     = cli.Flag("include-detectors", "Comma separated list of detector types to include. Protobuf name or IDs may be used, as well as ranges.").Default("all").String()
 	excludeDetectors     = cli.Flag("exclude-detectors", "Comma separated list of detector types to exclude. Protobuf name or IDs may be used, as well as ranges. IDs defined here take precedence over the include list.").String()
 	jobReportFile        = cli.Flag("output-report", "Write a scan report to the provided path.").Hidden().OpenFile(os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0666)
+	SslVerify            = cli.Flag("ssl-verify", "Whether to verify the SSL certificates when making requests.").Default("true").Bool()
 
 	noVerificationCache = cli.Flag("no-verification-cache", "Disable verification caching").Bool()
 
@@ -283,7 +284,7 @@ func init() {
 
 	cmd = kingpin.MustParse(cli.Parse(os.Args[1:]))
 
-	// Configure logging.
+	// Configure log level.
 	switch {
 	case *trace:
 		log.SetLevel(5)
@@ -304,6 +305,11 @@ func init() {
 			log.SetLevel(l)
 		}
 	}
+
+	// Disable certificate validation, if specified.
+	if !*SslVerify {
+		common.VerifySsl = false
+	}
 }
 
 func main() {

pkg/common/http.go

@@ -204,23 +204,33 @@ func RetryableHTTPClientTimeout(timeOutSeconds int64, opts ...ClientOption) *htt
 
 const DefaultResponseTimeout = 5 * time.Second
 
-var saneTransport = &http.Transport{
-	Proxy: http.ProxyFromEnvironment,
-	DialContext: (&net.Dialer{
-		Timeout:   2 * time.Second,
-		KeepAlive: 5 * time.Second,
-	}).DialContext,
-	MaxIdleConns:          5,
-	IdleConnTimeout:       5 * time.Second,
-	TLSHandshakeTimeout:   3 * time.Second,
-	ExpectContinueTimeout: 1 * time.Second,
+var VerifySsl = true
+
+func saneTransport() *http.Transport {
+	t := &http.Transport{
+		Proxy: http.ProxyFromEnvironment,
+		DialContext: (&net.Dialer{
+			Timeout:   2 * time.Second,
+			KeepAlive: 5 * time.Second,
+		}).DialContext,
+		MaxIdleConns:          5,
+		IdleConnTimeout:       5 * time.Second,
+		TLSHandshakeTimeout:   3 * time.Second,
+		ExpectContinueTimeout: 1 * time.Second,
+	}
+
+	// Disable TLS certificate validation.
+	if !VerifySsl {
+		t.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
+	}
+	return t
 }
 
 func SaneHttpClient() *http.Client {
-	httpClient := &http.Client{}
-	httpClient.Timeout = DefaultResponseTimeout
-	httpClient.Transport = NewCustomTransport(saneTransport)
-	return httpClient
+	client := &http.Client{}
+	client.Timeout = DefaultResponseTimeout
+	client.Transport = NewCustomTransport(saneTransport())
+	return client
 }
 
 // SaneHttpClientTimeOut adds a custom timeout for some scanners

pkg/detectors/jdbc/mysql.go

@@ -10,6 +10,8 @@ import (
 	logContext "github.com/trufflesecurity/trufflehog/v3/pkg/context"
 
 	"github.com/go-sql-driver/mysql"
+
+	"github.com/trufflesecurity/trufflehog/v3/pkg/common"
 )
 
 type mysqlJDBC struct {
@@ -51,20 +53,27 @@ func isMySQLErrorDeterminate(err error) bool {
 	return false
 }
 
+const defaultParams = "timeout=5s"
+
 func parseMySQL(_ logContext.Context, subname string) (jdbc, error) {
 	// expected form: [subprotocol:]//[user:password@]HOST[/DB][?key=val[&key=val]]
 	if !strings.HasPrefix(subname, "//") {
 		return nil, errors.New("expected host to start with //")
 	}
 
+	params := defaultParams
+	if !common.VerifySsl {
+		params = defaultParams + "&tls=skip-verify"
+	}
+
 	// need for hostnames that have tcp(host:port) format required by this database driver
 	cfg, err := mysql.ParseDSN(strings.TrimPrefix(subname, "//"))
 	if err == nil {
 		return &mysqlJDBC{
 			conn:     subname[2:],
 			userPass: cfg.User + ":" + cfg.Passwd,
 			host:     fmt.Sprintf("tcp(%s)", cfg.Addr),
-			params:   "timeout=5s",
+			params:   params,
 		}, nil
 	}
 
@@ -97,7 +106,7 @@ func parseMySQL(_ logContext.Context, subname string) (jdbc, error) {
 		conn:     subname[2:],
 		userPass: userAndPass,
 		host:     fmt.Sprintf("tcp(%s)", u.Host),
-		params:   "timeout=5s",
+		params:   params,
 	}, nil
 
 }

pkg/detectors/jdbc/postgres.go

@@ -10,6 +10,8 @@ import (
 	logContext "github.com/trufflesecurity/trufflehog/v3/pkg/context"
 
 	"github.com/lib/pq"
+
+	"github.com/trufflesecurity/trufflehog/v3/pkg/common"
 )
 
 type postgresJDBC struct {
@@ -90,7 +92,9 @@ func parsePostgres(_ logContext.Context, subname string) (jdbc, error) {
 		}
 	}
 
-	if v := u.Query()["sslmode"]; len(v) > 0 {
+	if !common.VerifySsl {
+		params["sslmode"] = "disable"
+	} else if v := u.Query()["sslmode"]; len(v) > 0 {
 		switch v[0] {
 		// https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-PROTECTION
 		case "disable", "allow", "prefer",

pkg/detectors/jdbc/sqlserver.go

@@ -10,6 +10,8 @@ import (
 	logContext "github.com/trufflesecurity/trufflehog/v3/pkg/context"
 
 	mssql "github.com/microsoft/go-mssqldb"
+
+	"github.com/trufflesecurity/trufflehog/v3/pkg/common"
 )
 
 type sqlServerJDBC struct {
@@ -69,7 +71,7 @@ func parseSqlServer(ctx logContext.Context, subname string) (jdbc, error) {
 		}
 	}
 
-	urlStr := fmt.Sprintf("sqlserver://sa:%s@%s:%s?database=master&connection+timeout=5", password, host, port)
+	urlStr := fmt.Sprintf("sqlserver://sa:%s@%s:%s?database=master&connection+timeout=5&TrustServerCertificate=%t", password, host, port, common.VerifySsl)
 	jdbcUrl, err := url.Parse(urlStr)
 	if err != nil {
 		ctx.Logger().WithName("jdbc").