Branch: refs/heads/master Home: https://github.com/jenkinsci/android-signing-plugin Commit: ca6c9a9f17f2d9614d96b47b690c56cf531a23f5 https://github.com/jenkinsci/android-signing-plugin/commit/ca6c9a9f17f2d9614d96b47b690c56cf531a23f5 Author: Jonathan Leitschuh <jonathan.leitsc...@gmail.com> Date: 2023-12-16 (Sat, 16 Dec 2023)
Changed paths: M pom.xml Log Message: ----------- vuln-fix: Use HTTPS instead of HTTP to resolve deps CVE-2021-26291 This fixes a security vulnerability in this project where the `pom.xml` files were configuring Maven to resolve dependencies over HTTP instead of HTTPS. Weakness: CWE-829: Inclusion of Functionality from Untrusted Control Sphere Severity: High CVSS: 8.1 Detection: CodeQL & OpenRewrite (https://app.moderne.io/recipes/org.openrewrite.maven.security.UseHttpsForRepositories) Reported-by: Jonathan Leitschuh <jonathan.leitsc...@gmail.com> Signed-off-by: Jonathan Leitschuh <jonathan.leitsc...@gmail.com> Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/8 Detection: CodeQL (https://codeql.github.com/codeql-query-help/java/java-maven-non-https-url/) & OpenRewrite (https://app.moderne.io/recipes/org.openrewrite.maven.security.UseHttpsForRepositories) Reported-by: Jonathan Leitschuh <jonathan.leitsc...@gmail.com> Signed-off-by: Jonathan Leitschuh <jonathan.leitsc...@gmail.com> Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/8 Use this link to re-run the recipe: https://app.moderne.io/recipes/builder/IfHkrYfxx?organizationId=QWxsIEdpdEh1Yg%3D%3D Co-authored-by: Moderne <t...@moderne.io> Commit: 041e6386500324b3f660603aa5690219e44d22f8 https://github.com/jenkinsci/android-signing-plugin/commit/041e6386500324b3f660603aa5690219e44d22f8 Author: Robert St. John <restj...@users.noreply.github.com> Date: 2023-12-16 (Sat, 16 Dec 2023) Changed paths: M pom.xml Log Message: ----------- Merge pull request #4 from BulkSecurityGeneratorProjectV2/fix/JLL/use_https_to_resolve_dependencies_maven [SECURITY] Use HTTPS to resolve dependencies in Maven Build Compare: https://github.com/jenkinsci/android-signing-plugin/compare/d2a41c210f9c...041e63865003 -- You received this message because you are subscribed to the Google Groups "Jenkins Commits" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-commits+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-commits/jenkinsci/android-signing-plugin/push/refs/heads/master/d2a41c-041e63%40github.com.