From e6f022b5459cfb8973e4d11473ad573c6831a7f5 Mon Sep 17 00:00:00 2001
From: Stefan Kalscheuer <stefan@stklcode.de>
Date: Tue, 22 Oct 2024 21:05:55 +0200
Subject: [PATCH] fix: do not set legacy proxy from maven or env (#7072)
 (#7074)

The Apache HTTPClient based downloader supports http(s).proxy*
properties, so we do not need to use legacy logic. In legacy mode
http.nonProxyHosts is not honored, so setting both leads to issues due
to missing proxy selectors.

Omit populating legacy properties resolves this issue. In addition, we
have to move the password decryption from Maven settings up, so it
actually works.

Signed-off-by: Stefan Kalscheuer <stefan@stklcode.de>
---
 .../maven/BaseDependencyCheckMojo.java        | 43 ++++---------------
 1 file changed, 8 insertions(+), 35 deletions(-)

diff --git a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
index a1def01981c..aca91bd1fca 100644
--- a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
+++ b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
@@ -2212,46 +2212,19 @@ protected void populateSettings() {
                 if (mavenProxy.getUsername() != null && !mavenProxy.getUsername().isEmpty()) {
                     System.setProperty("https.proxyUser", mavenProxy.getUsername());
                 }
-                if (mavenProxy.getPassword() != null && !mavenProxy.getPassword().isEmpty()) {
-                    System.setProperty("https.proxyPassword", mavenProxy.getPassword());
+                String password = mavenProxy.getPassword();
+                if (password != null && !password.isEmpty()) {
+                    try {
+                        password = decryptPasswordFromSettings(password);
+                    } catch (SecDispatcherException ex) {
+                        password = handleSecDispatcherException("proxy", mavenProxy.getId(), password, ex);
+                    }
+                    System.setProperty("https.proxyPassword", password);
                 }
                 if (mavenProxy.getNonProxyHosts() != null && !mavenProxy.getNonProxyHosts().isEmpty()) {
                     System.setProperty("http.nonProxyHosts", mavenProxy.getNonProxyHosts());
                 }
             }
-
-            settings.setString(Settings.KEYS.PROXY_SERVER, mavenProxy.getHost());
-            settings.setString(Settings.KEYS.PROXY_PORT, Integer.toString(mavenProxy.getPort()));
-            final String userName = mavenProxy.getUsername();
-            String password = mavenProxy.getPassword();
-            if (password != null && !password.isEmpty()) {
-                if (settings.getBoolean(Settings.KEYS.PROXY_DISABLE_SCHEMAS, true)) {
-                    System.setProperty("jdk.http.auth.tunneling.disabledSchemes", "");
-                }
-                try {
-                    password = decryptPasswordFromSettings(password);
-                } catch (SecDispatcherException ex) {
-                    password = handleSecDispatcherException("proxy", mavenProxy.getId(), password, ex);
-                }
-            }
-            settings.setStringIfNotNull(Settings.KEYS.PROXY_USERNAME, userName);
-            settings.setStringIfNotNull(Settings.KEYS.PROXY_PASSWORD, password);
-            settings.setStringIfNotNull(Settings.KEYS.PROXY_NON_PROXY_HOSTS, mavenProxy.getNonProxyHosts());
-        } else if (System.getProperty("http.proxyHost") != null) {
-            //else use standard Java system properties
-            settings.setString(Settings.KEYS.PROXY_SERVER, System.getProperty("http.proxyHost", ""));
-            if (System.getProperty("http.proxyPort") != null) {
-                settings.setString(Settings.KEYS.PROXY_PORT, System.getProperty("http.proxyPort"));
-            }
-            if (System.getProperty("http.proxyUser") != null) {
-                settings.setString(Settings.KEYS.PROXY_USERNAME, System.getProperty("http.proxyUser"));
-            }
-            if (System.getProperty("http.proxyPassword") != null) {
-                settings.setString(Settings.KEYS.PROXY_PASSWORD, System.getProperty("http.proxyPassword"));
-            }
-            if (System.getProperty("http.nonProxyHosts") != null) {
-                settings.setString(Settings.KEYS.PROXY_NON_PROXY_HOSTS, System.getProperty("http.nonProxyHosts"));
-            }
         } else if (this.proxy != null && this.proxy.getHost() != null) {
             // or use configured <proxy>
             settings.setString(Settings.KEYS.PROXY_SERVER, this.proxy.getHost());