https://max.computer/blog/how-to-take-over-the-computer-of-any-java-or-clojure-or-scala-developer/
If you want to play a trick on your friends, you can use Dilettante to man-in-the-middle a Maven Repository request and inject some bad behaviour, the source code is here https://github.com/mveytsman/dilettante but don't do in your company, you might not win friends.
Very interesting reading https://stackoverflow.com/a/24987915/651288
You can upgrade your URL to HTTPS at no cost (it used to be a paying service) https://support.sonatype.com/hc/en-us/articles/213465458
Use this https://repo1.maven.org/maven2/ , not http://repo1.maven.org/maven2/
To run a verification of your build dependent artifacts:
mvn com.github.s4u.plugins:pgpverify-maven-plugin:check
you can create locally a gpg key:
gpg
gpg --gen-key
gpg --list-keys
gpg --list-secret-keys
to verify a component:
gpg --verify plexus-cipher-1.7.jar.asc plexus-chipher-1.7.jar
Very good article on XBI (cross build injection) http://branchandbound.net/blog/security/2012/03/crossbuild-injection-how-safe-is-your-build/
and about verifying components using MIT key repo : http://branchandbound.net/blog/security/2012/08/verify-dependencies-using-pgp/
Interesting Maven plugin to whitelist components in a build http://gary-rowe.com/agilestack/2013/07/03/preventing-dependency-chain-attacks-in-maven/
and here another similar Maven plugin to check PGP signature https://www.simplify4u.org/pgpverify-maven-plugin/index.html
Wednesday, November 15, 2017
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment