The dependency gradle-wrapper.jar has a number of security flaws as identified by a VeraCode static scan

[rohitsoman1010]

Dear All,

If you run a VeraCode static security scan against the latest release (tag : 2.5.133) you will see that there are a number of flaws identified due to 'gradle-wrapper.jar'.

The following flaws have been identified:

1. 1 HIGH severity flaw Type: CWE-327: Use of a Broken or Risky Cryptographic Algorithm - http://cwe.mitre.org/data/definitions/327.html From the scan report, these are the filenames identified:

   PathAssembler.java

   Here is the specific location identified where the flaws exist:

   gradle-wrapper.jar | org/.../wrapper/PathAssembler.java 64

2. 12 MEDIUM Severity Flaws: Type: CWE-73: External Control of File Name or Path - http://cwe.mitre.org/data/definitions/73.html From the scan report, these are the filenames identified:

   ExclusiveFileAccessManager.java GradleUserHomeLookup.java GradleWrapperMain.java Install.java PathAssembler.java WrapperExecutor.java

   Here are the specific locations identified where the flaws exist:

   gradle-wrapper.jar .../ExclusiveFileAccessManager.java 39 gradle-wrapper.jar .../GradleUserHomeLookup.java 29 gradle-wrapper.jar .../GradleUserHomeLookup.java 32 gradle-wrapper.jar .../GradleUserHomeLookup.java 34 gradle-wrapper.jar org/.../GradleWrapperMain.java 102 gradle-wrapper.jar org/.../wrapper/Install.java 50 gradle-wrapper.jar org/.../wrapper/Install.java 65 gradle-wrapper.jar org/.../wrapper/Install.java 246 gradle-wrapper.jar org/.../wrapper/Install.java 250 gradle-wrapper.jar org/.../wrapper/PathAssembler.java 42 gradle-wrapper.jar org/.../wrapper/PathAssembler.java 43 gradle-wrapper.jar org/.../WrapperExecutor.java 70

Appreciate if someone could fix the security flaws (escpecially the HIGH severity one) reported by Veracode Static Scan and release a patched version at the earliest. Thanks in advance. Cheers!

Best Regards, Rohit Soman