Maven 工件上传/下载中未使用 HTTPS 或 SFTP URL¶
ID: java/maven/non-https-url
Kind: problem
Security severity: 8.1
Severity: error
Precision: very-high
Tags:
- security
- external/cwe/cwe-300
- external/cwe/cwe-319
- external/cwe/cwe-494
- external/cwe/cwe-829
Query suites:
- java-code-scanning.qls
- java-security-extended.qls
- java-security-and-quality.qls
使用 HTTP 或 FTP 等不安全的协议下载依赖项会使你的 Maven 构建容易受到 中间人 (MITM) 攻击。这可能允许攻击者将恶意代码注入你正在解析的工件中,并感染正在生成的构建工件。攻击者可以使用此方法对项目的用户执行 供应链攻击。
此漏洞的 CVSS v3.1 基础评分为 8.1/10。
建议¶
始终使用 HTTPS 或 SFTP 从工件服务器下载工件。
示例¶
这些示例展示了 Maven POM 文件中配置工件存储库上传/下载的位置示例。第一个示例展示了 HTTP 的使用,第二个示例展示了 HTTPS 的使用。
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.semmle</groupId>
<artifactId>parent</artifactId>
<version>1.0</version>
<packaging>pom</packaging>
<name>Security Testing</name>
<description>An example of insecure download and upload of dependencies</description>
<distributionManagement>
<repository>
<id>insecure-releases</id>
<name>Insecure Repository Releases</name>
<!-- BAD! Use HTTPS -->
<url>http://insecure-repository.example</url>
</repository>
<snapshotRepository>
<id>insecure-snapshots</id>
<name>Insecure Repository Snapshots</name>
<!-- BAD! Use HTTPS -->
<url>http://insecure-repository.example</url>
</snapshotRepository>
</distributionManagement>
<repositories>
<repository>
<id>insecure</id>
<name>Insecure Repository</name>
<!-- BAD! Use HTTPS -->
<url>http://insecure-repository.example</url>
</repository>
</repositories>
<pluginRepositories>
<pluginRepository>
<id>insecure-plugins</id>
<name>Insecure Repository Releases</name>
<!-- BAD! Use HTTPS -->
<url>http://insecure-repository.example</url>
</pluginRepository>
</pluginRepositories>
</project>
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.semmle</groupId>
<artifactId>parent</artifactId>
<version>1.0</version>
<packaging>pom</packaging>
<name>Security Testing</name>
<description>An example of secure download and upload of dependencies</description>
<distributionManagement>
<repository>
<id>insecure-releases</id>
<name>Secure Repository Releases</name>
<!-- GOOD! Use HTTPS -->
<url>https://insecure-repository.example</url>
</repository>
<snapshotRepository>
<id>insecure-snapshots</id>
<name>Secure Repository Snapshots</name>
<!-- GOOD! Use HTTPS -->
<url>https://insecure-repository.example</url>
</snapshotRepository>
</distributionManagement>
<repositories>
<repository>
<id>insecure</id>
<name>Secure Repository</name>
<!-- GOOD! Use HTTPS -->
<url>https://insecure-repository.example</url>
</repository>
</repositories>
<pluginRepositories>
<pluginRepository>
<id>insecure-plugins</id>
<name>Secure Repository Releases</name>
<!-- GOOD! Use HTTPS -->
<url>https://insecure-repository.example</url>
</pluginRepository>
</pluginRepositories>
</project>
参考¶
概念验证:mveytsman/dilettante
其他 Gradle 和 Maven 插件:宣布 nohttp
Java 生态系统公告:HTTP 停用工件服务器公告
常见弱点枚举:CWE-300。
常见弱点枚举:CWE-319。
常见弱点枚举:CWE-494。
常见弱点枚举:CWE-829。