Skip to content

Verify maven dependency checksums#2986

Merged
sstone merged 4 commits intomasterfrom
maven-checksums
Jan 27, 2025
Merged

Verify maven dependency checksums#2986
sstone merged 4 commits intomasterfrom
maven-checksums

Conversation

@sstone
Copy link
Member

@sstone sstone commented Jan 23, 2025

We use a feature added to maven 3.9.x to compute checksums for our dependencies and verify them against a local "trusted checksums" file, and fail the build if the do not match. This process is local and independent of checksums stored and downloaded from maven repositories.

SNAPSHOT dependencies are not verified (but released versions should never depend on SNAPSHOT dependencies).

This should protect us against supply-chain attacks where some of our dependencies are compromised and replaced by malicious ones.

@sstone sstone requested a review from t-bast January 23, 2025 15:12
@sstone
Verify maven dependency checksums
d2f54af 
Maven build process will compute checksums for our dependencies and verify them against a local "trusted checksums" file, and fail the build
if the do not match. This process is local and independent of checksums stored and downloaded from maven repositories.

SNAPSHOT dependencies are not verified (but released versions should never depend on SNAPSHOT dependencies).
@codecov-commenter
Copy link

codecov-commenter commented Jan 23, 2025

⚠️ Please install the 'codecov app svg image' to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 86.00%. Comparing base (8827a04) to head (d2f54af).
Report is 3 commits behind head on master.

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #2986      +/-   ##
==========================================
- Coverage   86.02%   86.00%   -0.03%     
==========================================
  Files         227      227              
  Lines       20340    20368      +28     
  Branches      834      850      +16     
==========================================
+ Hits        17498    17517      +19     
- Misses       2842     2851       +9

see 7 files with indirect coverage changes

t-bast
t-bast requested changes Jan 24, 2025
View reviewed changes
sstone added 2 commits January 27, 2025 10:09
@sstone
Documentation: maven is not required anymore
52dca17 
The correct version of the JDK is enough, Eclair uses the maven wrapper now which will download the version of maven that it needs on first use.
@sstone
Documentation: explain how to update maven checksums
ca277a6
t-bast
t-bast reviewed Jan 27, 2025
View reviewed changes
@sstone sstone merged commit 05f7dc3 into master Jan 27, 2025
1 check passed
@sstone sstone deleted the maven-checksums branch January 27, 2025 12:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@t-bast t-bast t-bast approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sstone @codecov-commenter @t-bast