Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SECURITY] Use HTTPS to resolve dependencies in Maven Build #100

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

JLLeitschuh
Copy link

@JLLeitschuh JLLeitschuh commented Jul 1, 2022

{"message":"Validation Failed","errors":[{"resource":"PullRequest","code":"custom","message":"A pull request already exists for JLLeitschuh:fix/JLL/use_https_to_resolve_dependencies_maven."}],"documentation_url":"https://docs.github.com/rest/reference/pulls#create-a-pull-request"}

@JLLeitschuh JLLeitschuh force-pushed the fix/JLL/use_https_to_resolve_dependencies_maven branch 2 times, most recently from ca44710 to 87960d6 Compare July 5, 2022 21:47
This fixes a security vulnerability in this project where the `pom.xml`
files were configuring Maven to resolve dependencies over HTTP instead of
HTTPS.

Weakness: CWE-829: Inclusion of Functionality from Untrusted Control Sphere
Severity: High
CVSSS: 8.1
Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.maven.security.UseHttpsForRepositories)

Reported-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>

Bug-tracker: JLLeitschuh/security-research#8

Co-authored-by: Moderne <team@moderne.io>
@JLLeitschuh JLLeitschuh force-pushed the fix/JLL/use_https_to_resolve_dependencies_maven branch from 87960d6 to 1111002 Compare July 8, 2022 18:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant