[jenkinsci/android-signing-plugin] ca6c9a: vuln-fix: Use HTTPS instead of HTTP to resolve dep...

Fri, 15 Dec 2023 22:38:22 -0800 

  Branch: refs/heads/master
  Home:   https://github.com/jenkinsci/android-signing-plugin
  Commit: ca6c9a9f17f2d9614d96b47b690c56cf531a23f5
      
https://github.com/jenkinsci/android-signing-plugin/commit/ca6c9a9f17f2d9614d96b47b690c56cf531a23f5
  Author: Jonathan Leitschuh <jonathan.leitsc...@gmail.com>
  Date:   2023-12-16 (Sat, 16 Dec 2023)

  Changed paths:
    M pom.xml

  Log Message:
  -----------
  vuln-fix: Use HTTPS instead of HTTP to resolve deps CVE-2021-26291


This fixes a security vulnerability in this project where the `pom.xml`
files were configuring Maven to resolve dependencies over HTTP instead of
HTTPS.

Weakness: CWE-829: Inclusion of Functionality from Untrusted Control Sphere
Severity: High
CVSS: 8.1
Detection: CodeQL & OpenRewrite 
(https://app.moderne.io/recipes/org.openrewrite.maven.security.UseHttpsForRepositories)

Reported-by: Jonathan Leitschuh <jonathan.leitsc...@gmail.com>
Signed-off-by: Jonathan Leitschuh <jonathan.leitsc...@gmail.com>

Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/8
Detection: CodeQL 
(https://codeql.github.com/codeql-query-help/java/java-maven-non-https-url/) & 
OpenRewrite 
(https://app.moderne.io/recipes/org.openrewrite.maven.security.UseHttpsForRepositories)

Reported-by: Jonathan Leitschuh <jonathan.leitsc...@gmail.com>
Signed-off-by: Jonathan Leitschuh <jonathan.leitsc...@gmail.com>

Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/8


Use this link to re-run the recipe: 
https://app.moderne.io/recipes/builder/IfHkrYfxx?organizationId=QWxsIEdpdEh1Yg%3D%3D

Co-authored-by: Moderne <t...@moderne.io>


  Commit: 041e6386500324b3f660603aa5690219e44d22f8
      
https://github.com/jenkinsci/android-signing-plugin/commit/041e6386500324b3f660603aa5690219e44d22f8
  Author: Robert St. John <restj...@users.noreply.github.com>
  Date:   2023-12-16 (Sat, 16 Dec 2023)

  Changed paths:
    M pom.xml

  Log Message:
  -----------
  Merge pull request #4 from 
BulkSecurityGeneratorProjectV2/fix/JLL/use_https_to_resolve_dependencies_maven

[SECURITY] Use HTTPS to resolve dependencies in Maven Build


Compare: 
https://github.com/jenkinsci/android-signing-plugin/compare/d2a41c210f9c...041e63865003

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Commits" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-commits+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-commits/jenkinsci/android-signing-plugin/push/refs/heads/master/d2a41c-041e63%40github.com.

Reply via email to