Uploaded image for project: 'Aurora'
  1. Aurora
  2. AURORA-1997

Consider using checksum-dependency-plugin for dependency verification

    XMLWordPrintableJSON

Details

    • Story
    • Status: Closed
    • Trivial
    • Resolution: Later
    • None
    • None
    • Build, Scheduler, Security

    Description

      checksum-dependency-plugin [1] is a superset of gradle-witness, and it enables to increase the level of security.

      Key features:

      • Gradle plugins can be verified (grade-witness doesn't track plugins)
      • All Gradle configurations are supported (e.g. `java-library` plugin is supported). `checksum-dependency-plugin` intercepts detached configurations as well (e.g. the ones that are created on demand)
      • PGP can be used for verification. PGP can be used with or without checksum. PGP enables to detect and prevent issues like https://blog.autsoft.hu/a-confusing-dependency/

      checksum-dependency-plugin aims to provide insulation against MITM attacks via maven dependency downloads.
      It is trivial to integrate, and it is not that hard to maintain (e.g. updated checksum.xml could be updated automatically)

      [1] https://github.com/vlsi/vlsi-release-plugins/tree/master/plugins/checksum-dependency-plugin

      Attachments

        Issue Links

          is a clone of

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. AURORA-616 Consider using gradle-witness to verify dependencies

          • Trivial - Cosmetic problem like misspelt words or misaligned text.
          • Resolved

          Activity

            People

              Unassigned Unassigned
              vladimirsitnikov Vladimir Sitnikov
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: