Uploaded image for project: 'Maven'
  1. Maven
  2. MNG-6887

Provide a Github Action to check the validity of the Maven Wrapper

    XMLWordPrintableJSON

    Details

    • Type: New Feature
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: General
    • Labels:
      None

      Description

      The Gradle project provides a "Gradle Wrapper Validation" Github Action

      This action validates the checksums of Gradle Wrapper JAR files present in the source tree and fails if unknown Gradle Wrapper JAR files are found.

      ...

      A fairly simple social engineering supply chain attack against open source would be contribute a helpful “Updated to Gradle xxx” PR that contains malicious code hidden inside this binary JAR. A malicious gradle-wrapper.jar could execute, download, or install arbitrary code while otherwise behaving like a completely normal gradle-wrapper.jar.

      Since the Maven wrapper is coming to the mothership, it'd make sense for the Maven Project to provide a similar Github action, and advertise about it in the official doc, similar to Gradle.

      Forking https://github.com/gradle/wrapper-validation-action to adapt it to the Maven wrapper should be fairly straightforward.

      Although anybody could provide such Github action, I feel it being provided by the Maven Project itself would make it much more legitimate.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              fbricon Fred Bricon
            • Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated: