Uploaded image for project: 'Maven Wrapper'
  1. Maven Wrapper
  2. MWRAPPER-75

Allow for sha256 checksum verification of downloaded artifacts.

    XMLWordPrintableJSON

Details

    Description

      Maven Wrapper is downloading binary artifacts that are later executed. To prevent from an attack where a vulnerable repository could distribute malicious Maven (wrapper) artifacts, the downloaded artifacts should be verified against a secure checksum. If the expected checksum does not match, execution could be aborted before the potentially compromised artifact is executed.

      In my PR, i chose SHA-256 as it is cheaper to compute than SHA-512 but still impossible to replicate with a corrupted binary.

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. MWRAPPER-50 Verify checksum when downloading maven-wrapper.jar  

          • Major - Major loss of function.
          • Open

          New Feature - A new feature of the product, which has yet to be developed. MWRAPPER-79 Automatically add sha256 to maven-wrapper.properties

          • Major - Major loss of function.
          • Open
          links to

          Web Link GitHub Pull Request #58

          Activity

            People

              sjaranowski Slawomir Jaranowski
              raphw Rafael Winterhalter
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: