Audit - Rules - MavenDescriptionThis group contains audit rules that look for potential problems in Maven POM files. |
Rules: |
Summary
Using a dynamic dependency version is a security risk.
Description
This audit rule violates the usage of dynamic dependency version in Maven configuration files.
Security Implications
A dynamic dependency version adds to the number of undefined variables at the time of build that can be used by an attacker. More than that, you cannot validate the quality and security issues of the code used in the build. This is an additional security risk that should be taken into consideration.
Example
The following part of an Maven POM would be flagged as a violation because it declares a dependency with dynamically defined revision:
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>[,3.8.1]</version>
<scope>test</scope>
</dependency>
Summary
Using external repositories is an additional security risk.
Description
This audit rule violates the usage of external Maven repositories other than from the list of permitted ones.
Remember that tools such as Maven store a list of repositories plugged in by default. You should redeclare these too.
Security Implications
An external repository can be compromised by an attacker to allow malicious code into your application during its building. This threat is completely negated when you do not use downloadable dependency managers at all; if this is not an option, you can use local repository proxies for storing trusted dependency packages that can be used during the build. In contrast to external repositories belonding to third parties, such a repository's security can be controlled.
Example
The following part of a Maven script would be flagged as a violation because it accesses a dependency from the repository:
<repositories>
<repository>
<id>apache.incubator</id>
<url>http://people.apache.org/repo/m2-incubating-repository</url>
</repository>
</repositories>