I am looking at a Microservices Gradle project which has got flagged by CodeQL scan with the alert: "'TrustManager' that accepts all certificates".
When I looked into the alert, the class being reported is ApiClient.java, which is an autogenerated class by OpenApi generator:
/build/.../gen/.../ApiClient.java
Since this class is autogenerated, we can't directly modify the codes to circumvent the CodeQL alert. Before even looking at the issue related to that CodeQL alert, my first questions are:
How does the OpenApi generator generate the ApiClient class? I looked and found some YAML templates here:
/src/main/resources/swagger/XXX.yamlThese files depict the contracts to the biz/service endpoints, but I didn't see anything that might be dictating how the ApiClient class being generated.
If I miss-looked, what would be a likely names for such a template that OpenApi used to generate ApiClient? I tried look for '.yaml', '.mustache', to no avail.
If no template is specified, does OpenApi just generate ApiClient class base on default? This doesn't seem likely...
Can we change it, so we have control at how ApiClient.java is generated?
Fwiw, these are the related dependencies specified in build.gradle:
- '.springdoc:springdoc-openapi-gradle-plugin:1.9.0'
- '.openapitools:openapi-generator-cli:7.10.0'
Anyone have any info/knowledge on this, please kindly help with some pointers so I can look into