dependency-analysis-gradle-plugin icon indicating copy to clipboard operation
dependency-analysis-gradle-plugin copied to clipboard

Published 20 hours ago verified publisher icon autonomousapps

[Security] Repository is vulnerable to MavenGate

Open Nek-12 opened this issue 1 year ago • 2 comments

https://blog.oversecured.com/Introducing-MavenGate-a-supply-chain-attack-method-for-Java-and-Android-applications/

Gradle task

./gradlew --write-verification-metadata pgp,sha256 --export-keys

<component group="com.autonomousapps.dependency-analysis" name="com.autonomousapps.dependency-analysis.gradle.plugin" version="1.28.0">
   <artifact name="com.autonomousapps.dependency-analysis.gradle.plugin-1.28.0.pom">
      <sha256 value="9946abe7d073df5e1153143fab26ca7d4677f44f0152704d0875aaadd9266479" origin="Generated by Gradle" reason="Artifact is not signed"/>
   </artifact>
</component>

did not find a pgp public key in a remote repository or the artifact is not signed. A fix is to:

  1. Start signing all artifacts, if not signed yet
  2. Upload a public pgp key used for signing artifacts to multiple public pgp repositories: https://keys.openpgp.org | https://pgp.mit.edu | https://keyserver.ubuntu.com/

Nek-12 avatar Feb 02 '24 06:02 Nek-12

All artifacts are signed. I believe the PGP key is only uploaded to a single public repository though. My recollection (this is from years ago) is that it's the keyserver.ubuntu.com repo though, so I'm a little confused.

autonomousapps avatar Feb 22 '24 20:02 autonomousapps

Gradle does not use Ubuntu keyserver by default, so multiple have to be used.

Nek-12 avatar Feb 24 '24 21:02 Nek-12