在线时间:8:00-16:00
迪恩网络APP
随时随地掌握行业动态
扫描二维码
关注迪恩网络微信公众号
开源软件名称(OpenSource Name):gradle/wrapper-validation-action开源软件地址(OpenSource Url):https://github.com/gradle/wrapper-validation-action开源编程语言(OpenSource Language):TypeScript 97.8%开源软件介绍(OpenSource Introduction):Gradle Wrapper Validation ActionThis action validates the checksums of Gradle Wrapper JAR files present in the source tree and fails if unknown Gradle Wrapper JAR files are found. The Gradle Wrapper Problem in Open SourceThe Searching across GitHub you can find many pull requests (PRs) with helpful titles like 'Update to Gradle xxx'. Many of these PRs are contributed by individuals outside of the organization maintaining the project. Many maintainers are incredibly grateful for these kinds of contributions as it takes an item off of their backlog.
We assume that most maintainers do not consider the security implications of accepting the Gradle Wrapper binary from external contributors.
There is a certain amount of blind trust open source maintainers have.
Further compounding the issue is that maintainers are most often greeted in these PRs with a diff to the A fairly simple social engineering supply chain attack against open source would be contribute a helpful “Updated to Gradle xxx” PR that contains malicious code hidden inside this binary JAR.
A malicious SolutionWe have created a simple GitHub Action that can be applied to any GitHub repository.
This GitHub Action will do one simple task:
verify that any and all If any are found that do not match the SHA-256 checksums of our official releases, the action will fail. Additionally, the action will find and SHA-256 hash all
homoglyph
variants of files named UsageAdd to an existing WorkflowSimply add this action to your workflow after having checked out your source tree and before running any Gradle build: uses: gradle/wrapper-validation-action@v1 Add a new dedicated WorkflowHere's a sample complete workflow you can add to your repositories:
name: "Validate Gradle Wrapper"
on: [push, pull_request]
jobs:
validation:
name: "Validation"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: gradle/wrapper-validation-action@v1 Contributing to an external GitHub RepositorySince GitHub Actions are completely free for open source projects and are automatically enabled on almost all projects, adding this check to a project's build is as simple as contributing a PR. Enabling the check requires no overhead on behalf of the project maintainer beyond merging the action. You can add this action to your favorite Gradle based project without checking out their source locally via the GitHub Web UI thanks to the 'Create new file' button. Simply add a new file named We recommend the message commit contents of:
From there, you can easily follow the rest of the prompts to create a Pull Request against the project. Reporting FailuresIf this GitHub action fails because a Note: If the Gradle version in If you're curious and want to explore what the differences are between the ResourcesTo learn more about verifying the Gradle Wrapper JAR locally, see our guide on the topic. |
2023-10-27
2022-08-15
2022-08-17
2022-09-23
2022-08-13
请发表评论