braintree-android-drop-in icon indicating copy to clipboard operation
braintree-android-drop-in copied to clipboard
verified publisher icon braintree

Gradle wrapper jar not recognized by Gradle Wrapper Validation Action

Open helloncode opened this issue 1 year ago • 1 comments

Braintree SDK Version

6.14.0

Environment

Production

Android Version & Device

No response

Braintree dependencies

None

Describe the bug

Security Vulnerability Report: gradle-wrapper.jar SHA256 Mismatch

Description:

We are currently maintaining a fork of this repository. Upon integrating a gradle wrapper validation action into our Continuous Integration (CI) process, we discovered an inconsistency with the gradle-wrapper.jar file present in this project. The SHA256 checksum of the gradle-wrapper.jar file does not match the official checksum provided on the Gradle website. This discrepancy raises concerns regarding the integrity and security of the Gradle wrapper used in this project, potentially exposing it to security risks.

To reproduce

Add uses: gradle/wrapper-validation-action@v2 to your gha workflow in order to check gradle wrapper

Expected behavior

uses: gradle/wrapper-validation-action@v2 shouldn't fails

Screenshots

No response

helloncode avatar Feb 05 '24 16:02 helloncode

Hey @helloncode thanks for this. We put up a PR to update the wrapper jar and add the validation action to our CI.

sshropshire avatar Feb 05 '24 19:02 sshropshire