Audit - Rules - IvyDescriptionThis group contains audit rules that look for potential problems in Ivy scripts. |
Rules: |
Summary
Using a dynamic dependency version is a security risk.
Description
This audit rule violates the usage of dynamic dependency version in Ivy configuration files.
Security Implications
A dynamic dependency version adds to the number of undefined variables at the time of build that can be used by an attacker. More than that, you cannot validate the quality and security issues of the code used in the build. This is an additional security risk that should be taken into consideration.
Example
The following part of an Ivy script would be flagged as a violation because it declares a dependency with dynamically defined revision:
<dependency org="yourorg" name="yourmodule9" rev="9.1+" conf="A,B->default">
<include name="art1" type="jar" conf="A,B"/>
<include name="art2" type="jar" conf="A"/>
</dependency>
Summary
Using external repositories is an additional security risk.
Description
This audit rule violates the usage of external Ivy repositories, declared in the chain of resolvers, other than from the list of permitted ones.
Security Implications
An external repository can be compromised by an attacker to allow malicious code into your application during its building. This threat is completely negated when you do not use downloadable dependency managers at all; if this is not an option, you can use local repository proxies for storing trusted dependency packages that can be used during the build. In contrast to external repositories belonging to third parties, such a repository's security can be controlled.
Example
The following Ivy ivysettings.xml
file declares the only one default
resolver. If http://ivy.internal.repo/
URL is present in the list of secure repositories, these settings will pass the test. Otherwise, this file will be marked as a violation:
<ivysettings>
<settings defaultResolver="default"/>
<properties file="${ivy.settings.dir}/ivysettings.properties" />
<resolvers>
<chain name="default">
<url name="internal" checkmodified="true">
<ivy pattern="http://ivy.internal.repo/[org]/[mod]/ivy-[rev].xml"/>
<artifact pattern="http://ivy.internal.repo/[org]/[mod]/[art]-[rev].[type]"/>
</url>
</chain>
</resolvers>
</ivysettings>