From e234f015d2536843aa2b75417d41e74ec3f523e8 Mon Sep 17 00:00:00 2001 From: BoxBoxJason Date: Tue, 2 Jun 2026 01:58:45 +0200 Subject: [PATCH] docs: warn about insecure TLS configuration on TransportConfig Signed-off-by: BoxBoxJason --- sonar/transport.go | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/sonar/transport.go b/sonar/transport.go index 4693ab4..41a10b8 100644 --- a/sonar/transport.go +++ b/sonar/transport.go @@ -9,11 +9,25 @@ import ( // TransportConfig holds configuration for the SDK-managed HTTP transport. // It is ignored when WithHTTPClient is also used. type TransportConfig struct { - TLSClientConfig *tls.Config - MaxIdleConns int - IdleConnTimeout time.Duration + // TLSClientConfig customizes the TLS settings used for HTTPS connections. + // + // Security warning: setting TLSClientConfig.InsecureSkipVerify to true + // disables server certificate verification, which exposes the connection to + // man-in-the-middle attacks and can leak the auth token and source-code + // metadata exchanged with SonarQube. Only use it against a trusted local or + // development instance, never in production. + TLSClientConfig *tls.Config + // MaxIdleConns controls the maximum number of idle (keep-alive) connections + // across all hosts. Zero means no limit. + MaxIdleConns int + // IdleConnTimeout is the maximum time an idle connection is kept before + // closing. Zero means no limit. + IdleConnTimeout time.Duration + // TLSHandshakeTimeout is the maximum time to wait for a TLS handshake. + // Zero means no timeout. TLSHandshakeTimeout time.Duration - DisableCompression bool + // DisableCompression disables transparent gzip request/response compression. + DisableCompression bool } // buildTransport creates an *http.Transport from cfg.