Audit - Rules - Ant

Description
This group contains audit rules that look for potential problems in Ant build scripts.

Rules:

Details

External Dependency in Ant

Summary
Using external downloadable dependencies is an additional security risk.

Description
This audit rule violates the retrieval of dependancies in an Ant script via<get> ant task.

Security Implications
An external repository can be compromised by an attacker to allow malicious code into your application during its building. This threat is completely negated when you do not use downloadable dependencies at all; if this is not an option, you can use local repository proxies for storing trusted dependency packages that can be used during the build. In contrast to external repositories belonding to third parties, such a repository's security can be controlled.

Example
The following part of an Ant script would be flagged as a violation because it tries to access a remote dependency jar via <get> task:

    <target name="get_deps">
        <get src="http://ext.repository.com/jackarta/commons-lang.jar" dest="deps/commons-lang.jar" />
    </target>