Gradle has built-in support for checksum validation on cached artifacts. To enable this feature to prevent dependency chain attacks, you can add the following configuration to your build.gradle file:
configurations.all {
resolutionStrategy {
cacheChangingModulesFor 0, 'seconds'
eachDependency { DependencyResolveDetails details ->
def requested = details.requested
def from = details.from
def found = details.resolved
if (requested.moduleVersion != found.moduleVersion) {
def newModule = "${requested.module}:${requested.name}:${found.version}"
def message = "Warning: ${newModule} was resolved from ${from.module}:${from.name}:${from.version} and is now resolved from ${found.module}:${found.name}:${found.version}. This could be a potential security vulnerability."
logger.warn(message)
throw new GradleException(message)
}
}
}
}
This configuration ensures that Gradle only cache non-changing modules for 0 seconds, which forces Gradle to always check the remote repository for new modules. Additionally, this configuration checks if the resolved dependency is the same as the requested dependency by comparing their respective module versions. If a different module version is found during resolution, Gradle raises a warning and fails the build. This feature helps mitigate the likelihood of dependency chain attacks.
Asked: 2021-10-26 11:00:00 +0000
Seen: 15 times
Last updated: Apr 27 '22