search

autonomousapps / dependency-analysis-gradle-plugin

Gradle plugin for JVM projects written in Java, Kotlin, Groovy, or Scala; and Android projects written in Java or Kotlin. Provides advice for managing dependencies and other applied plugins
Apache License 2.0
1.67k stars 115 forks source link

[Security] Repository is vulnerable to MavenGate #1121

Open Nek-12 opened 5 months ago

Nek-12 commented 5 months ago

https://blog.oversecured.com/Introducing-MavenGate-a-supply-chain-attack-method-for-Java-and-Android-applications/

Gradle task 

./gradlew --write-verification-metadata pgp,sha256 --export-keys
<component group="com.autonomousapps.dependency-analysis" name="com.autonomousapps.dependency-analysis.gradle.plugin" version="1.28.0">
   <artifact name="com.autonomousapps.dependency-analysis.gradle.plugin-1.28.0.pom">
      <sha256 value="9946abe7d073df5e1153143fab26ca7d4677f44f0152704d0875aaadd9266479" origin="Generated by Gradle" reason="Artifact is not signed"/>
   </artifact>
</component>

did not find a pgp public key in a remote repository or the artifact is not signed. A fix is to:

  1. Start signing all artifacts, if not signed yet
  2. Upload a public pgp key used for signing artifacts to multiple public pgp repositories: https://keys.openpgp.org | https://pgp.mit.edu | https://keyserver.ubuntu.com/
autonomousapps commented 4 months ago

All artifacts are signed. I believe the PGP key is only uploaded to a single public repository though. My recollection (this is from years ago) is that it's the keyserver.ubuntu.com repo though, so I'm a little confused.

Nek-12 commented 4 months ago

Gradle does not use Ubuntu keyserver by default, so multiple have to be used.