You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Kacper Wojciechowski (Jira)" <ji...@apache.org> on 2021/05/25 09:10:00 UTC
[jira] [Commented] (MNG-6887) Provide a Github Action to check the
validity of the Maven Wrapper
[ https://issues.apache.org/jira/browse/MNG-6887?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17350928#comment-17350928 ]
Kacper Wojciechowski commented on MNG-6887:
-------------------------------------------
?
> Provide a Github Action to check the validity of the Maven Wrapper
> ------------------------------------------------------------------
>
> Key: MNG-6887
> URL: https://issues.apache.org/jira/browse/MNG-6887
> Project: Maven
> Issue Type: New Feature
> Components: General
> Reporter: Fred Bricon
> Priority: Major
>
> The Gradle project provides a "Gradle Wrapper Validation" [Github Action|https://github.com/marketplace/actions/gradle-wrapper-validation]
> {quote}This action validates the checksums of [Gradle Wrapper|https://docs.gradle.org/current/userguide/gradle_wrapper.html] JAR files present in the source tree and fails if unknown Gradle Wrapper JAR files are found.
> ...
> A fairly simple social engineering supply chain attack against open source would be contribute a helpful “Updated to Gradle xxx” PR that contains malicious code hidden inside this binary JAR. A malicious {{gradle-wrapper.jar}} could execute, download, or install arbitrary code while otherwise behaving like a completely normal {{gradle-wrapper.jar}}.
> {quote}
> Since the Maven wrapper is coming to the mothership, it'd make sense for the Maven Project to provide a similar Github action, and advertise about it in the official doc, similar to [Gradle|#automatically_verifying_the_gradle_wrapper_jar_on_github].
> Forking [https://github.com/gradle/wrapper-validation-action] to adapt it to the Maven wrapper should be fairly straightforward.
> Although anybody could provide such Github action, I feel it being provided by the Maven Project itself would make it much more legitimate.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)