Skip to content

[SECURITY] Use HTTPS to resolve dependencies in Maven Build#100

Open
JLLeitschuh wants to merge 1 commit intovoodoodyne:masterfrom
JLLeitschuh:fix/JLL/use_https_to_resolve_dependencies_maven
Open

[SECURITY] Use HTTPS to resolve dependencies in Maven Build#100
JLLeitschuh wants to merge 1 commit intovoodoodyne:masterfrom
JLLeitschuh:fix/JLL/use_https_to_resolve_dependencies_maven

Conversation

@JLLeitschuh
Copy link

@JLLeitschuh JLLeitschuh commented Jul 1, 2022

{"message":"Validation Failed","errors":[{"resource":"PullRequest","code":"custom","message":"A pull request already exists for JLLeitschuh:fix/JLL/use_https_to_resolve_dependencies_maven."}],"documentation_url":"https://docs.github.com/rest/reference/pulls#create-a-pull-request"}

@JLLeitschuh JLLeitschuh force-pushed the fix/JLL/use_https_to_resolve_dependencies_maven branch 2 times, most recently from ca44710 to 87960d6 Compare July 5, 2022 21:47
This fixes a security vulnerability in this project where the `pom.xml`
files were configuring Maven to resolve dependencies over HTTP instead of
HTTPS.

Weakness: CWE-829: Inclusion of Functionality from Untrusted Control Sphere
Severity: High
CVSSS: 8.1
Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.maven.security.UseHttpsForRepositories)

Reported-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>

Bug-tracker: JLLeitschuh/security-research#8

Co-authored-by: Moderne <team@moderne.io>
@JLLeitschuh JLLeitschuh force-pushed the fix/JLL/use_https_to_resolve_dependencies_maven branch from 87960d6 to 1111002 Compare July 8, 2022 18:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant