search

braintree / braintree-android-drop-in

Braintree Drop-In SDK for Android
https://developers.braintreepayments.com/guides/drop-in/android/v2
MIT License
124 stars 78 forks source link

Gradle wrapper jar not recognized by Gradle Wrapper Validation Action #458

Open helloncode opened 8 months ago

helloncode commented 8 months ago

Braintree SDK Version

6.14.0

Environment

Production

Android Version & Device

No response

Braintree dependencies

None

Describe the bug

Security Vulnerability Report: gradle-wrapper.jar SHA256 Mismatch

Description:

We are currently maintaining a fork of this repository. Upon integrating a gradle wrapper validation action into our Continuous Integration (CI) process, we discovered an inconsistency with the gradle-wrapper.jar file present in this project. The SHA256 checksum of the gradle-wrapper.jar file does not match the official checksum provided on the Gradle website. This discrepancy raises concerns regarding the integrity and security of the Gradle wrapper used in this project, potentially exposing it to security risks.

To reproduce

Add uses: gradle/wrapper-validation-action@v2 to your gha workflow in order to check gradle wrapper

Expected behavior

uses: gradle/wrapper-validation-action@v2 shouldn't fails

Screenshots

No response

sshropshire commented 8 months ago

Hey @helloncode thanks for this. We put up a PR to update the wrapper jar and add the validation action to our CI.