Skip to content

fix(cve): add trust_env=True to honor HTTP_PROXY/HTTPS_PROXY environment variables#6601

Open
ttuuxxeerr wants to merge 1 commit into
OpenCTI-Platform:masterfrom
ttuuxxeerr:fix/cve-proxy-trust-env
Open

fix(cve): add trust_env=True to honor HTTP_PROXY/HTTPS_PROXY environment variables#6601
ttuuxxeerr wants to merge 1 commit into
OpenCTI-Platform:masterfrom
ttuuxxeerr:fix/cve-proxy-trust-env

Conversation

@ttuuxxeerr

@ttuuxxeerr ttuuxxeerr commented Jun 3, 2026

Copy link
Copy Markdown

Proposed changes

  • Added trust_env=True to aiohttp.ClientSession() in external-import/cve/src/services/client/api.py to honor HTTP_PROXY and HTTPS_PROXY environment variables
  • Fixed CVE connector connectivity issues behind corporate proxies where direct outbound connections are blocked

Related issues

Checklist

  • I consider the submitted work as finished
  • I have signed my commits using GPG key.
  • I tested the code for its functionality using different use cases
  • I added/update the relevant documentation (either on github or on notion)
  • Where necessary I refactored code to improve the overall quality

Further comments

This is a minimal one-line fix that addresses a critical connectivity issue for users behind corporate proxies.

Problem: The CVE connector was ignoring HTTP_PROXY and HTTPS_PROXY environment variables when making requests to the NVD API.

Root Cause: aiohttp.ClientSession was created without trust_env=True.

Solution: Added trust_env=True to the ClientSession() constructor.

Testing: Verified that the connector now works behind a corporate Squid proxy.

Impact: Enables the CVE connector to work in corporate environments where all outbound traffic must go through a proxy.

fix(cve): add trust_env=True to honor HTTP_PROXY/HTTPS_PROXY env vars
6291d35 
The CVE connector was ignoring HTTP_PROXY/HTTPS_PROXY environment variables
because aiohttp.ClientSession defaults to trust_env=False.

This fix allows the connector to work behind corporate proxies that require
all outbound traffic through a proxy (e.g., Squid).

Fixes connectivity issues for users behind corporate proxies where:
- DNS resolution only works through the proxy
- Direct outbound connections are blocked by firewall

Related: aiohttp requires explicit proxy configuration or trust_env=True
to honor environment variables.
@filigran-cla-bot filigran-cla-bot Bot added the cla:pending CLA signature required. label Jun 3, 2026
@filigran-cla-bot

filigran-cla-bot Bot commented Jun 3, 2026
edited
Loading

Copy link
Copy Markdown

Contributor License Agreement

CLA signed 💚

Thank you @ttuuxxeerr for signing the Contributor License Agreement! Your pull request can now be reviewed and merged.

We appreciate your contribution to Filigran's open source projects! ❤️

This is an automated message from the Filigran CLA Bot.

@filigran-cla-bot filigran-cla-bot Bot removed the cla:pending CLA signature required. label Jun 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@ttuuxxeerr ttuuxxeerr

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ttuuxxeerr @ncarenton