Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2022-04-27 19:00:00 +0000

nofretete gravatar image

Gradle has built-in support for checksum validation on cached artifacts. To enable this feature to prevent dependency chain attacks, you can add the following configuration to your build.gradle file:

configurations.all {
    resolutionStrategy {
        cacheChangingModulesFor 0, 'seconds'
        eachDependency { DependencyResolveDetails details ->
            def requested = details.requested
            def from = details.from
            def found = details.resolved

            if (requested.moduleVersion != found.moduleVersion) {
                def newModule = "${requested.module}:${requested.name}:${found.version}"
                def message = "Warning: ${newModule} was resolved from ${from.module}:${from.name}:${from.version} and is now resolved from ${found.module}:${found.name}:${found.version}. This could be a potential security vulnerability."
                logger.warn(message)
                throw new GradleException(message)
            }
        }
    }
}

This configuration ensures that Gradle only cache non-changing modules for 0 seconds, which forces Gradle to always check the remote repository for new modules. Additionally, this configuration checks if the resolved dependency is the same as the requested dependency by comparing their respective module versions. If a different module version is found during resolution, Gradle raises a warning and fails the build. This feature helps mitigate the likelihood of dependency chain attacks.


Copyright QStack.ai, 2010-2023. Content on this site is licensed under the Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service | contact