[
https://issues.apache.org/jira/browse/MNG-6887?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17350928#comment-17350928
]
Kacper Wojciechowski commented on MNG-6887:
-------------------------------------------
?
> Provide a Github Action to check the validity of the Maven Wrapper
> ------------------------------------------------------------------
>
> Key: MNG-6887
> URL: https://issues.apache.org/jira/browse/MNG-6887
> Project: Maven
> Issue Type: New Feature
> Components: General
> Reporter: Fred Bricon
> Priority: Major
>
> The Gradle project provides a "Gradle Wrapper Validation" [Github
> Action|https://github.com/marketplace/actions/gradle-wrapper-validation]
> {quote}This action validates the checksums of [Gradle
> Wrapper|https://docs.gradle.org/current/userguide/gradle_wrapper.html] JAR
> files present in the source tree and fails if unknown Gradle Wrapper JAR
> files are found.
> ...
> A fairly simple social engineering supply chain attack against open source
> would be contribute a helpful “Updated to Gradle xxx” PR that contains
> malicious code hidden inside this binary JAR. A malicious
> {{gradle-wrapper.jar}} could execute, download, or install arbitrary code
> while otherwise behaving like a completely normal {{gradle-wrapper.jar}}.
> {quote}
> Since the Maven wrapper is coming to the mothership, it'd make sense for the
> Maven Project to provide a similar Github action, and advertise about it in
> the official doc, similar to
> [Gradle|#automatically_verifying_the_gradle_wrapper_jar_on_github].
> Forking [https://github.com/gradle/wrapper-validation-action] to adapt it to
> the Maven wrapper should be fairly straightforward.
> Although anybody could provide such Github action, I feel it being provided
> by the Maven Project itself would make it much more legitimate.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
