Gradle has built-in support for checksum validation on cached artifacts. To enable this feature to prevent dependency chain attacks, you can add the following configuration to your build.gradle file:
configurations.all {
resolutionStrategy {
cacheChangingModulesFor 0, 'seconds'
eachDependency { DependencyResolveDetails details ->
def requested = details.requested
def from = details.from
def found = details.resolved
if (requested.moduleVersion != found.moduleVersion) {
def newModule = "${requested.module}:${requested.name}:${found.version}"
def message = "Warning: ${newModule} was resolved from ${from.module}:${from.name}:${from.version} and is now resolved from ${found.module}:${found.name}:${found.version}. This could be a potential security vulnerability."
logger.warn(message)
throw new GradleException(message)
}
}
}
}
This configuration ensures that Gradle only cache non-changing modules for 0 seconds, which forces Gradle to always check the remote repository for new modules. Additionally, this configuration checks if the resolved dependency is the same as the requested dependency by comparing their respective module versions. If a different module version is found during resolution, Gradle raises a warning and fails the build. This feature helps mitigate the likelihood of dependency chain attacks.
Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss
Asked: 2021-10-26 11:00:00 +0000
Seen: 14 times
Last updated: Apr 27 '22
Can a transitive dependency in gradle be made exclusively for runtime purposes?
Why can't IntelliJ IDEA detect the Kotlin multiplatform library?
How do compileSdkVersion and targetSdkVersion differ from each other?
What does the error message "Failed to apply plugin [id 'com.jfrog.artifactory']" mean?
Why doesn't the Android Studio display the layout preview once MaterialCalendarView has been added?
How to update the outdated WebSecurityConfigurerAdapter in Spring Boot?
How can we add animation to the user interface using jetpack compose?