Skip to content
This repository has been archived by the owner on Sep 25, 2023. It is now read-only.

[SECURITY] Use HTTPS to resolve dependencies in Maven Build #1

Open
wants to merge 1 commit into
base: trunk
Choose a base branch
from
Open

[SECURITY] Use HTTPS to resolve dependencies in Maven Build #1

wants to merge 1 commit into from

Conversation

JLLeitschuh
Copy link

@JLLeitschuh JLLeitschuh commented Jul 1, 2022
edited
Loading

{"message":"Validation Failed","errors":[{"resource":"PullRequest","code":"custom","message":"A pull request already exists for JLLeitschuh:fix/JLL/use_https_to_resolve_dependencies_maven."}],"documentation_url":"https://docs.github.com/rest/reference/pulls#create-a-pull-request"}

@JLLeitschuh JLLeitschuh force-pushed the fix/JLL/use_https_to_resolve_dependencies_maven branch 2 times, most recently from 61f6b76 to e24900e Compare July 6, 2022 00:20
@JLLeitschuh @TeamModerne
vuln-fix: Use HTTPS instead of HTTP to resolve deps CVE-2021-26291
20e7fda 
This fixes a security vulnerability in this project where the `pom.xml`
files were configuring Maven to resolve dependencies over HTTP instead of
HTTPS.

Weakness: CWE-829: Inclusion of Functionality from Untrusted Control Sphere
Severity: High
CVSSS: 8.1
Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.maven.security.UseHttpsForRepositories)

Reported-by: Jonathan Leitschuh <[email protected]>
Signed-off-by: Jonathan Leitschuh <[email protected]>

Bug-tracker: JLLeitschuh/security-research#8

Co-authored-by: Moderne <[email protected]>
@JLLeitschuh JLLeitschuh force-pushed the fix/JLL/use_https_to_resolve_dependencies_maven branch from e24900e to 20e7fda Compare July 8, 2022 18:14
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@JLLeitschuh