Details
-
New Feature
-
Status: Open
-
Major
-
Resolution: Unresolved
-
None
-
None
-
None
Description
The Gradle project provides a "Gradle Wrapper Validation" Github Action
This action validates the checksums of Gradle Wrapper JAR files present in the source tree and fails if unknown Gradle Wrapper JAR files are found.
...
A fairly simple social engineering supply chain attack against open source would be contribute a helpful “Updated to Gradle xxx” PR that contains malicious code hidden inside this binary JAR. A malicious gradle-wrapper.jar could execute, download, or install arbitrary code while otherwise behaving like a completely normal gradle-wrapper.jar.
Since the Maven wrapper is coming to the mothership, it'd make sense for the Maven Project to provide a similar Github action, and advertise about it in the official doc, similar to Gradle.
Forking https://github.com/gradle/wrapper-validation-action to adapt it to the Maven wrapper should be fairly straightforward.
Although anybody could provide such Github action, I feel it being provided by the Maven Project itself would make it much more legitimate.