Fix code scanning alert - Request without certificate validation #7
Description
Tracking issue for:
License check HTTPS request is made without certificate verification.
Since (at least in the Dockerfile) a self-signed certificate is generated, the request should be checked against it for security' sake:
response = requests.get(
params = ...
verify='/path/to/cert.pem',
... )- Give the user freedom to use a custom (pre-made) certificate
- Possibility to inject a custom certificate ->ENV or mounted volume to not use self-signed certificate
- Save the generated certificate in volume so it won't get lost
- For self-signed certificate verification it'd be necessary to ship the cert.pem to end-user in licensed package
- Invent a fancy way to inject the cert.pem in package or remind the user in README / HOWTO to add the cert.pem to package