search

CYB3R-G0D / Canvass-app

Draw and take notes anywhere on your device.
GNU General Public License v3.0
8 stars 0 forks source link

Create Gradle Wrapper Validation workflow #5

Closed russellbanks closed 2 years ago

russellbanks commented 2 years ago

This pull request creates a Gradle wrapper validation workflow. It validates the checksums of Gradle Wrapper JAR files present in the source tree and fails if unknown Gradle Wrapper JAR files are found.

It ensures that the Gradle JAR has not been tampered with, for example, by a pull request.

Searching across GitHub you can find many pull requests (PRs) with helpful titles like 'Update to Gradle xxx'. Many of these PRs are contributed by individuals outside of the organization maintaining the project.

Many maintainers are incredibly grateful for these kinds of contributions as it takes an item off of their backlog. We assume that most maintainers do not consider the security implications of accepting the Gradle Wrapper binary from external contributors. There is a certain amount of blind trust open source maintainers have. Further compounding the issue is that maintainers are most often greeted in these PRs with a diff to the gradle-wrapper.jar.

CYB3R-G0D commented 2 years ago

Thanks again @russellbanks :+1: