[jira] [Commented] (MNG-6887) Provide a Github Action to check the validity of the Maven Wrapper

Wed, 27 Sep 2023 12:20:05 -0700 


    [ 
https://issues.apache.org/jira/browse/MNG-6887?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17769751#comment-17769751
 ] 

Slawomir Jaranowski commented on MNG-6887:
------------------------------------------

We have a wrapper type \{{only-script}} where no binary is needed - it is only 
shell/cmd script in distribution.

I would like to consider to remove binary distribution at all.

 

> Provide a Github Action to check the validity of the Maven Wrapper
> ------------------------------------------------------------------
>
>                 Key: MNG-6887
>                 URL: https://issues.apache.org/jira/browse/MNG-6887
>             Project: Maven
>          Issue Type: New Feature
>          Components: General
>            Reporter: Fred Bricon
>            Priority: Major
>
> The Gradle project provides a "Gradle Wrapper Validation" [Github 
> Action|https://github.com/marketplace/actions/gradle-wrapper-validation]
> {quote}This action validates the checksums of [Gradle 
> Wrapper|https://docs.gradle.org/current/userguide/gradle_wrapper.html] JAR 
> files present in the source tree and fails if unknown Gradle Wrapper JAR 
> files are found.
> ...
> A fairly simple social engineering supply chain attack against open source 
> would be contribute a helpful “Updated to Gradle xxx” PR that contains 
> malicious code hidden inside this binary JAR. A malicious 
> {{gradle-wrapper.jar}} could execute, download, or install arbitrary code 
> while otherwise behaving like a completely normal {{gradle-wrapper.jar}}.
> {quote}
> Since the Maven wrapper is coming to the mothership, it'd make sense for the 
> Maven Project to provide a similar Github action, and advertise about it in 
> the official doc, similar to 
> [Gradle|#automatically_verifying_the_gradle_wrapper_jar_on_github].
> Forking [https://github.com/gradle/wrapper-validation-action] to adapt it to 
> the Maven wrapper should be fairly straightforward.
> Although anybody could provide such Github action, I feel it being provided 
> by the Maven Project itself would make it much more legitimate.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to