ibm-odm-decision-mcp-server

The server has configurable authentication methods including Basic Auth, Zen API Key, and OpenID Connect (Client Secret/PKJWT), as well as mTLS. However, there are notable security concerns: 1. **Weakened TLS Verification (Conditional):** If `--ssl-cert-path` is used for SSL/TLS verification (e.g., with self-signed certificates) while `--verifyssl` is `True` (default), the custom `CustomHTTPAdapter` disables hostname verification (`assert_hostname = False`). This can make the connection vulnerable to Man-in-the-Middle (MITM) attacks, even if the certificate itself is trusted. 2. **Hardcoded Default Credentials:** The `argparse` module defaults for `--username` and `--password` are `odmAdmin`, which is a common security anti-pattern. While these can be overridden by environment variables or CLI arguments, using defaults in production without changing them is a significant risk. 3. **Explicit SSL Disablement:** The `--verifyssl "False"` option explicitly disables SSL/TLS certificate verification. While documented for dev/test, its misuse in production can lead to severe vulnerabilities. These issues, particularly the conditional weakening of TLS security and hardcoded defaults, lower the overall security score.