Wednesday, November 15, 2017

Not using SSL to connect to Maven? dilettante (=amateur) !

https://max.computer/blog/how-to-take-over-the-computer-of-any-java-or-clojure-or-scala-developer/

If you want to play a trick on your friends, you can use Dilettante to man-in-the-middle a Maven Repository request and inject some bad behaviour, the source code is here https://github.com/mveytsman/dilettante but don't do in your company, you might not win friends.

Very interesting reading https://stackoverflow.com/a/24987915/651288

You can upgrade your URL to HTTPS at no cost (it used to be a paying service) https://support.sonatype.com/hc/en-us/articles/213465458

Use this https://repo1.maven.org/maven2/ , not http://repo1.maven.org/maven2/

To run a verification of your build dependent artifacts:

mvn com.github.s4u.plugins:pgpverify-maven-plugin:check

you can create locally a gpg key:

gpg
gpg --gen-key
gpg --list-keys
gpg --list-secret-keys

to verify a component:
gpg --verify plexus-cipher-1.7.jar.asc plexus-chipher-1.7.jar


Very good article on XBI (cross build injection) http://branchandbound.net/blog/security/2012/03/crossbuild-injection-how-safe-is-your-build/

and about verifying components using MIT key repo : http://branchandbound.net/blog/security/2012/08/verify-dependencies-using-pgp/


Interesting Maven plugin to whitelist components in a build http://gary-rowe.com/agilestack/2013/07/03/preventing-dependency-chain-attacks-in-maven/

and here another similar Maven plugin to check PGP signature https://www.simplify4u.org/pgpverify-maven-plugin/index.html




No comments: