search

janbarari / gradle-analytics-plugin

A free Gradle plugin to analyze your project builds. It provides unique visual and text metrics in HTML format.
MIT License
159 stars 5 forks source link

[Security] Repository is vulnerable to MavenGate #132

Open Nek-12 opened 9 months ago

Nek-12 commented 9 months ago

https://blog.oversecured.com/Introducing-MavenGate-a-supply-chain-attack-method-for-Java-and-Android-applications/

Gradle task 

./gradlew --write-verification-metadata pgp,sha256 --export-keys

did not find a pgp public key in a remote repository or the artifact is not signed.

 <component group="io.github.janbarari" name="gradle-analytics-plugin" version="1.0.1">
         <artifact name="gradle-analytics-plugin-1.0.1.jar">
            <sha256 value="575a4e9840a37b2f1e28f5521a22ab0ab49bc065812581fbb58782927d58f0d5" origin="Generated by Gradle" reason="Artifact is not signed"/>
         </artifact>
         <artifact name="gradle-analytics-plugin-1.0.1.module">
            <sha256 value="9e34907bdab80dcd1f0f4b749ae1212b809ad3d51cdd68d835d065966d9e552e" origin="Generated by Gradle" reason="Artifact is not signed"/>
         </artifact>
      </component>
      <component group="io.github.janbarari.gradle-analytics-plugin" name="io.github.janbarari.gradle-analytics-plugin.gradle.plugin" version="1.0.1">
         <artifact name="io.github.janbarari.gradle-analytics-plugin.gradle.plugin-1.0.1.pom">
            <sha256 value="9ba3b269269a230037096ba0244fe299d1e579bcf7124282c76d8f1e4d88dc75" origin="Generated by Gradle" reason="Artifact is not signed"/>
         </artifact>
      </component>

A fix is to:

  1. Start signing all artifacts, if not signed yet
  2. Upload a public pgp key used for signing artifacts to multiple public pgp repositories: https://keys.openpgp.org | https://pgp.mit.edu | https://keyserver.ubuntu.com/