CAMEL-23970: Mark sslEndpointAlgorithm as insecure SSL option#24668
Conversation
gnodet
left a comment
There was a problem hiding this comment.
Thank you for working on this, @gbhavya07. The annotation change itself is correct — sslEndpointAlgorithm is indeed an insecure-capable SSL option that should be flagged by the security policy framework. However, the PR is incomplete because the full build did not finish, so required generated files are missing.
Findings
1. Missing SecurityUtils.java update (blocking)
The auto-generated SECURITY_OPTIONS map in core/camel-util/src/main/java/org/apache/camel/util/SecurityUtils.java must include an entry for sslendpointalgorithm. This map is regenerated by the update-sensitive-helper mojo during the camel-catalog build phase. Since your build failed at camel-kserve (which is built before catalog), this file was never regenerated.
For reference, see how PR #24661 (camel-pinecone) includes the corresponding SecurityUtils.java change:
map.put("tls", new SecurityOption(INSECURE_SSL, VALUE_FALSE));Without this entry, the security policy framework cannot enforce policies on sslEndpointAlgorithm at runtime, which defeats the purpose of the annotation.
2. Missing catalog JSON update (blocking)
The catalog copy at catalog/camel-catalog/src/generated/resources/org/apache/camel/catalog/components/openai.json also needs to be regenerated to include the "security": "insecure:ssl" attribute. This is generated during the same catalog build phase.
3. Consider adding explicit insecureValue (suggestion)
The sslEndpointAlgorithm disables hostname verification for both empty string and "none" (see OpenAIEndpoint.java line 539). Without an explicit insecureValue on the annotation, the auto-generated SecurityUtils entry will default to "" (empty string), which only catches the empty-string case. Setting sslEndpointAlgorithm=none would not be detected as insecure.
This is a pre-existing limitation also present in strictHostKeyChecking, so it may be acceptable for now, but worth noting.
How to fix
To regenerate all required files, you need a successful full build. You can work around the camel-kserve failure by building with:
mvn clean install -DskipTests -pl :camel-openai -am && mvn clean install -DskipTests -pl :camel-catalog -amOr exclude the failing module:
mvn clean install -DskipTests -pl '!:camel-kserve'Then commit the regenerated SecurityUtils.java and openai.json (catalog copy).
Scanner coverage
No static analysis tools were run in this review (PMD, Checkstyle, SpotBugs, semgrep, Error Prone are not available in this environment). Compilation-dependent checks require CI.
Claude Code review on behalf of @gnodet
This review was generated by an AI agent and may contain inaccuracies. Please verify all suggestions before applying.
12fb51c to
eb35712
Compare
|
🌟 Thank you for your contribution to the Apache Camel project! 🌟 🐫 Apache Camel Committers, please review the following items:
|
davsclaus
left a comment
There was a problem hiding this comment.
The annotation change is correct and all generated files are now included — the prior CHANGES_REQUESTED concerns are fully addressed.
What looks good:
@UriParam(security = "insecure:ssl")onsslEndpointAlgorithmis the right annotation — setting this to""or"none"disables hostname verification.SecurityUtils.javaentry is consistent with similar options (stricthostkeychecking,x509hostnameverifier).- Both catalog JSON copies include the
"security": "insecure:ssl"attribute. - Commit message follows the
CAMEL-XXXX: descriptionconvention.
Observations (non-blocking):
camel-kafkahas the samesslEndpointAlgorithmoption without thesecurity = "insecure:ssl"annotation — a separate issue, not this PR's scope.- The
"none"insecure value gap is a pre-existing framework limitation already noted in the prior review.
This review does not replace specialized AI review tools or static analysis.
This review was generated by an AI agent and may contain inaccuracies. Please verify all suggestions before applying.
Claude Code on behalf of davsclaus
|
🧪 CI tested the following changed modules:
🔬 Scalpel shadow comparison — Scalpel: 559 tested, 28 compile-only — current: 558 all testedMaveniverse Scalpel detected 587 affected modules (current approach: 558).
|
Description
This PR addresses CAMEL-23970 by marking the
sslEndpointAlgorithmendpoint option as an insecure-capable SSL configuration.The
sslEndpointAlgorithmoption allows disabling TLS hostname verification by setting it to an empty value ornone. However, it was not annotated withsecurity = "insecure:ssl", preventing Camel's security policy framework from identifying it as an option that weakens SSL verification.This change adds the missing
security = "insecure:ssl"attribute to the@UriParamannotation inOpenAIConfigurationand regenerates the component metadata so the security metadata is reflected in the generatedopenai.json.Target
mainbranch)Tracking
Apache Camel coding standards and style
I checked that each commit in the pull request has a meaningful subject line and body.
I have run
mvn clean install -DskipTestslocally from root folder and I have committed all auto-generated changes.I ran ./mvnw clean install -DskipTests. The build fails in the unrelated camel-kserve module due to a protobuf-maven-plugin/protoc generation error. The camel-openai module builds successfully, and its tests pass.
AI-assisted contributions
Co-authored-bytrailers) and the PR description identifies the AI tool used.