How to secure maven against code injection

["Marziou, Gael" <ga...@hp.com>]

Hello,

Maven dependency management can be a security breach if naively implemented by enabling injection of 3rd party code into your application that get deployed in production.

So, I came up with some defensive approach and I would like people to review them from their experience and maybe point to references or issues.

1. Developers can access internet repositories through a managed cache repository in the intranet (e.g. ArtiFactory)
2. Official builds can download dependencies only from an internal repository that is managed by a "librarian"


I am thinking of switching between #1 and #2 mode by using profiles to enable developers to dry-run an official build in their sandbox before building on the continuous integration server but I'm not sure whether profiles can let me switch between different context which defines different mirrors or proxies.

Does my approach make sense?

Thanks,

Gael





---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org