diff --git a/src/pkg/scan/util.go b/src/pkg/scan/util.go index e66e657f4..8cb88a88f 100644 --- a/src/pkg/scan/util.go +++ b/src/pkg/scan/util.go @@ -15,7 +15,6 @@ package scan import ( - "crypto/tls" "fmt" "net/http" @@ -30,24 +29,25 @@ import ( "github.com/opencontainers/go-digest" ocispec "github.com/opencontainers/image-spec/specs-go/v1" + commonhttp "github.com/goharbor/harbor/src/common/http" + "github.com/goharbor/harbor/src/lib/log" "github.com/goharbor/harbor/src/pkg/robot/model" v1sq "github.com/goharbor/harbor/src/pkg/scan/rest/v1" ) -// Insecure ... -type Insecure bool - // RemoteOptions ... -func (i Insecure) RemoteOptions() []remote.Option { +func RemoteOptions() []remote.Option { tr := http.DefaultTransport.(*http.Transport).Clone() - tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: bool(i)} + if commonhttp.InternalEnableVerifyClientCert() { + tlsConfig, err := commonhttp.GetInternalTLSConfig() + if err != nil { + log.Errorf("SBOM client load cert file with err: %v", err) + } + tr.TLSClientConfig = tlsConfig + } return []remote.Option{remote.WithTransport(tr)} } -type referrer struct { - Insecure -} - // GenAccessoryArt composes the accessory oci object and push it back to harbor core as an accessory of the scanned artifact. func GenAccessoryArt(sq v1sq.ScanRequest, accData []byte, accAnnotations map[string]string, mediaType string, robot *model.Robot) (string, error) { accArt, err := mutate.Append(empty.Image, mutate.Addendum{ @@ -92,7 +92,7 @@ func GenAccessoryArt(sq v1sq.ScanRequest, accData []byte, accAnnotations map[str if err != nil { return "", err } - opts := append(referrer{Insecure: true}.RemoteOptions(), remote.WithAuth(&authn.Basic{Username: robot.Name, Password: robot.Secret})) + opts := append(RemoteOptions(), remote.WithAuth(&authn.Basic{Username: robot.Name, Password: robot.Secret})) if err := remote.Write(accRef, accArt, opts...); err != nil { return "", err }