CodeQL documentation

Failure to use HTTPS or SFTP URL in Maven artifact upload/download

ID: java/maven/non-https-url
Kind: problem
Security severity: 8.1
Severity: error
Precision: very-high
Tags:
   - security
   - external/cwe/cwe-300
   - external/cwe/cwe-319
   - external/cwe/cwe-494
   - external/cwe/cwe-829
Query suites:
   - java-code-scanning.qls
   - java-security-extended.qls
   - java-security-and-quality.qls

Click to see the query in the CodeQL repository

Using an insecure protocol like HTTP or FTP to download your dependencies leaves your Maven build vulnerable to a Man in the Middle (MITM). This can allow attackers to inject malicious code into the artifacts that you are resolving and infect build artifacts that are being produced. This can be used by attackers to perform a Supply chain attack against your project’s users.

This vulnerability has a CVSS v3.1 base score of 8.1/10 .

Recommendation

Always use HTTPS or SFTP to download artifacts from artifact servers.

Example

These examples show examples of locations in Maven POM files where artifact repository upload/download is configured. The first shows the use of HTTP, the second shows the use of HTTPS.

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">

    <modelVersion>4.0.0</modelVersion>

    <groupId>com.semmle</groupId>
    <artifactId>parent</artifactId>
    <version>1.0</version>
    <packaging>pom</packaging>

    <name>Security Testing</name>
    <description>An example of insecure download and upload of dependencies</description>

    <distributionManagement>
        <repository>
            <id>insecure-releases</id>
            <name>Insecure Repository Releases</name>
            <!-- BAD! Use HTTPS -->
            <url>http://insecure-repository.example</url>
        </repository>
        <snapshotRepository>
            <id>insecure-snapshots</id>
            <name>Insecure Repository Snapshots</name>
            <!-- BAD! Use HTTPS -->
            <url>http://insecure-repository.example</url>
        </snapshotRepository>
    </distributionManagement>
    <repositories>
        <repository>
            <id>insecure</id>
            <name>Insecure Repository</name>
            <!-- BAD! Use HTTPS -->
            <url>http://insecure-repository.example</url>
        </repository>
    </repositories>
    <pluginRepositories>
        <pluginRepository>
            <id>insecure-plugins</id>
            <name>Insecure Repository Releases</name>
            <!-- BAD! Use HTTPS -->
            <url>http://insecure-repository.example</url>
        </pluginRepository>
    </pluginRepositories>
</project>
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">

    <modelVersion>4.0.0</modelVersion>

    <groupId>com.semmle</groupId>
    <artifactId>parent</artifactId>
    <version>1.0</version>
    <packaging>pom</packaging>

    <name>Security Testing</name>
    <description>An example of secure download and upload of dependencies</description>

    <distributionManagement>
        <repository>
            <id>insecure-releases</id>
            <name>Secure Repository Releases</name>
            <!-- GOOD! Use HTTPS -->
            <url>https://insecure-repository.example</url>
        </repository>
        <snapshotRepository>
            <id>insecure-snapshots</id>
            <name>Secure Repository Snapshots</name>
            <!-- GOOD! Use HTTPS -->
            <url>https://insecure-repository.example</url>
        </snapshotRepository>
    </distributionManagement>
    <repositories>
        <repository>
            <id>insecure</id>
            <name>Secure Repository</name>
            <!-- GOOD! Use HTTPS -->
            <url>https://insecure-repository.example</url>
        </repository>
    </repositories>
    <pluginRepositories>
        <pluginRepository>
            <id>insecure-plugins</id>
            <name>Secure Repository Releases</name>
            <!-- GOOD! Use HTTPS -->
            <url>https://insecure-repository.example</url>
        </pluginRepository>
    </pluginRepositories>
</project>

References

  • © GitHub, Inc.
  • Terms
  • Privacy
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy