nowinandroid icon indicating copy to clipboard operation
nowinandroid copied to clipboard
verified publisher icon android

[FR]: Gradle Repository Potential Security and Reproducibility Risk

Open SeanZoR opened this issue 1 year ago • 0 comments

Is there an existing issue for this?

  • [x] I have searched the existing issues

Describe the problem

The current root settings.gradle.kts setup poses a potential security and reproducibility risk due to the unrestricted access to repositories. The order of repository declarations matters as Gradle resolves dependencies in the order listed, leading to unintended artifacts being included if not properly managed.

Example Case: The com.jraska.module.graph.assertion artifact is found in gradlePluginPortal() but not in mavenCentral(). Without proper filtering, new artifacts in mavenCentral() could unintentionally break or alter the build.

Current Configuration:

pluginManagement {
    repositories {
        google()
        mavenCentral()
        gradlePluginPortal()
    }
}

Describe the solution

implement content filtering to restrict the scope of artifacts from each repository.

Additional context

No response

Code of Conduct

  • [X] I agree to follow this project's Code of Conduct

SeanZoR avatar Jul 25 '24 15:07 SeanZoR