artem-smotrakov opened a new pull request #266: URL: https://github.com/apache/httpcomponents-client/pull/266
HTTP is a plaintext protocol which means that someone may be able to eavesdrop the data. To prevent this, HTTPS should be used whenever possible. An HTTP link in a README or a comment in code may not be harmful. Sometimes it may lead to a bit more serious issues. See for example https://medium.com/bugbountywriteup/want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-1fc329d898fb . Although Apache HttpClient doesn't seem to use HTTP URLs to repositories in its pom.xml files, `org.apache:apache:13` parent pom.xml file has at lease one https://svn.apache.org/viewvc/maven/pom/tags/apache-13/pom.xml?view=markup#l56 Maintaining `https://` in all URLs may be difficult. The `nohttp` tool can help here. The tool scans all the files in a repository and reports where `http://` is used. This pull requests proposes the following: - Added `nohttp` (via `checkstyle` plugin) into the build process. - Suppressed findings as a baseline. Without the suppression list, the tool reports ~1600 issues. Most of them are `http://www.apache.org/licenses/LICENSE-2.0` in the licence headers. If you think it makes sense to use `nohttp` in the project, and if you think that some suppressed finding may be fixed, I can update the changeset accordingly (fixing all of them would result to a patch that touches ~1600 files). Here are some info about the tool: - https://github.com/spring-io/nohttp - https://spring.io/blog/2019/06/10/announcing-nohttp P.S. Who do you think I can contact about replacing `http://` link in https://svn.apache.org/viewvc/maven/pom/tags/apache-13/pom.xml?view=markup#l56 ? ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
