[SECURITY] Dependency Confusion

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

[SECURITY] Dependency Confusion

Jacques Le Roux
Administrator
Hi,

I just read a members thread about this article: https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610

One member mentioned that the Groovy project is using the Gradle's dependency verification feature[1] in the Apache Groovy build.

I suggest we do the same, even after the move from JCenter to MavenCentral where things should be safer.

What do you think?

[1] https://docs.gradle.org/current/userguide/dependency_verification.html <https://docs.gradle.org/current/userguide/dependency_verification.html>

Jacques

Reply | Threaded
Open this post in threaded view
|

Re: [SECURITY] Dependency Confusion

Jacques Le Roux
Administrator
Hi,

I created https://issues.apache.org/jira/browse/OFBIZ-12186 for that. It's much more simple that I feared.
I'll soon commit the attached verification-metadata.xml file there, if nobody oppose.

We will later need to update it when updating dependencies.
So I'll also update https://cwiki.apache.org/confluence/display/OFBIZ/About+OWASP+Dependency+Check

As actually we no longer use OWASP+Dependency+Check (does not fit with Gradle), we need to remove this page but keep the last section in a new page.
With the switch from jcenter to Maven Central we also need to modify this last section.

We also need to update
https://cwiki.apache.org/confluence/display/OFBIZ/Release+Management+Guide+for+OFBiz
https://cwiki.apache.org/confluence/display/OFBIZ/Load+new+gradle+wrapper+version+on+bintray
https://issues.apache.org/jira/browse/OFBIZ-10213

I'll do so in relation, with OFBIZ-12186

Jacques

Le 13/02/2021 à 12:50, Jacques Le Roux a écrit :

> Hi,
>
> I just read a members thread about this article: https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
>
> One member mentioned that the Groovy project is using the Gradle's dependency verification feature[1] in the Apache Groovy build.
>
> I suggest we do the same, even after the move from JCenter to MavenCentral where things should be safer.
>
> What do you think?
>
> [1] https://docs.gradle.org/current/userguide/dependency_verification.html <https://docs.gradle.org/current/userguide/dependency_verification.html>
>
> Jacques
>
Reply | Threaded
Open this post in threaded view
|

Re: [SECURITY] Dependency Confusion

Michael Brohl-3
Hi Jacques, all,

we should try to publish the Gradle Wrapper to Maven Central, right?

Regards,

Michael Brohl

ecomify GmbH - www.ecomify.de


Am 22.02.21 um 14:08 schrieb Jacques Le Roux:

> Hi,
>
> I created https://issues.apache.org/jira/browse/OFBIZ-12186 for that.
> It's much more simple that I feared.
> I'll soon commit the attached verification-metadata.xml file there, if
> nobody oppose.
>
> We will later need to update it when updating dependencies.
> So I'll also update
> https://cwiki.apache.org/confluence/display/OFBIZ/About+OWASP+Dependency+Check
>
> As actually we no longer use OWASP+Dependency+Check (does not fit with
> Gradle), we need to remove this page but keep the last section in a
> new page. With the switch from jcenter to Maven Central we also need
> to modify this last section.
>
> We also need to update
> https://cwiki.apache.org/confluence/display/OFBIZ/Release+Management+Guide+for+OFBiz 
>
> https://cwiki.apache.org/confluence/display/OFBIZ/Load+new+gradle+wrapper+version+on+bintray 
>
> https://issues.apache.org/jira/browse/OFBIZ-10213
>
> I'll do so in relation, with OFBIZ-12186
>
> Jacques
>
> Le 13/02/2021 à 12:50, Jacques Le Roux a écrit :
>> Hi,
>>
>> I just read a members thread about this article:
>> https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
>>
>> One member mentioned that the Groovy project is using the Gradle's
>> dependency verification feature[1] in the Apache Groovy build.
>>
>> I suggest we do the same, even after the move from JCenter to
>> MavenCentral where things should be safer.
>>
>> What do you think?
>>
>> [1]
>> https://docs.gradle.org/current/userguide/dependency_verification.html 
>> <https://docs.gradle.org/current/userguide/dependency_verification.html>
>>
>> Jacques
>>
Reply | Threaded
Open this post in threaded view
|

Re: [SECURITY] Dependency Confusion

Jacques Le Roux
Administrator
Hi Michael,

Yes I see no other ways, not sure how to do it. I found :
https://discuss.gradle.org/t/host-gradle-wrapper-distributions-on-maven-central/543/2
https://stackoverflow.com/questions/42908823/publish-to-sonatype-using-new-gradle-plugin-maven-publish

Jacques

Le 23/02/2021 à 08:53, Michael Brohl a écrit :

> Hi Jacques, all,
>
> we should try to publish the Gradle Wrapper to Maven Central, right?
>
> Regards,
>
> Michael Brohl
>
> ecomify GmbH - www.ecomify.de
>
>
> Am 22.02.21 um 14:08 schrieb Jacques Le Roux:
>> Hi,
>>
>> I created https://issues.apache.org/jira/browse/OFBIZ-12186 for that. It's much more simple that I feared.
>> I'll soon commit the attached verification-metadata.xml file there, if nobody oppose.
>>
>> We will later need to update it when updating dependencies.
>> So I'll also update https://cwiki.apache.org/confluence/display/OFBIZ/About+OWASP+Dependency+Check
>>
>> As actually we no longer use OWASP+Dependency+Check (does not fit with Gradle), we need to remove this page but keep the last section in a new
>> page. With the switch from jcenter to Maven Central we also need to modify this last section.
>>
>> We also need to update
>> https://cwiki.apache.org/confluence/display/OFBIZ/Release+Management+Guide+for+OFBiz
>> https://cwiki.apache.org/confluence/display/OFBIZ/Load+new+gradle+wrapper+version+on+bintray
>> https://issues.apache.org/jira/browse/OFBIZ-10213
>>
>> I'll do so in relation, with OFBIZ-12186
>>
>> Jacques
>>
>> Le 13/02/2021 à 12:50, Jacques Le Roux a écrit :
>>> Hi,
>>>
>>> I just read a members thread about this article: https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
>>>
>>> One member mentioned that the Groovy project is using the Gradle's dependency verification feature[1] in the Apache Groovy build.
>>>
>>> I suggest we do the same, even after the move from JCenter to MavenCentral where things should be safer.
>>>
>>> What do you think?
>>>
>>> [1] https://docs.gradle.org/current/userguide/dependency_verification.html <https://docs.gradle.org/current/userguide/dependency_verification.html>
>>>
>>> Jacques
>>>
Reply | Threaded
Open this post in threaded view
|

Re: [SECURITY] Dependency Confusion

Jacques Le Roux
Administrator
Forgot this one: https://central.sonatype.org/pages/ossrh-guide.html

Le 23/02/2021 à 12:41, Jacques Le Roux a écrit :

> Hi Michael,
>
> Yes I see no other ways, not sure how to do it. I found :
> https://discuss.gradle.org/t/host-gradle-wrapper-distributions-on-maven-central/543/2
> https://stackoverflow.com/questions/42908823/publish-to-sonatype-using-new-gradle-plugin-maven-publish
>
> Jacques
>
> Le 23/02/2021 à 08:53, Michael Brohl a écrit :
>> Hi Jacques, all,
>>
>> we should try to publish the Gradle Wrapper to Maven Central, right?
>>
>> Regards,
>>
>> Michael Brohl
>>
>> ecomify GmbH - www.ecomify.de
>>
>>
>> Am 22.02.21 um 14:08 schrieb Jacques Le Roux:
>>> Hi,
>>>
>>> I created https://issues.apache.org/jira/browse/OFBIZ-12186 for that. It's much more simple that I feared.
>>> I'll soon commit the attached verification-metadata.xml file there, if nobody oppose.
>>>
>>> We will later need to update it when updating dependencies.
>>> So I'll also update https://cwiki.apache.org/confluence/display/OFBIZ/About+OWASP+Dependency+Check
>>>
>>> As actually we no longer use OWASP+Dependency+Check (does not fit with Gradle), we need to remove this page but keep the last section in a new
>>> page. With the switch from jcenter to Maven Central we also need to modify this last section.
>>>
>>> We also need to update
>>> https://cwiki.apache.org/confluence/display/OFBIZ/Release+Management+Guide+for+OFBiz
>>> https://cwiki.apache.org/confluence/display/OFBIZ/Load+new+gradle+wrapper+version+on+bintray
>>> https://issues.apache.org/jira/browse/OFBIZ-10213
>>>
>>> I'll do so in relation, with OFBIZ-12186
>>>
>>> Jacques
>>>
>>> Le 13/02/2021 à 12:50, Jacques Le Roux a écrit :
>>>> Hi,
>>>>
>>>> I just read a members thread about this article: https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
>>>>
>>>> One member mentioned that the Groovy project is using the Gradle's dependency verification feature[1] in the Apache Groovy build.
>>>>
>>>> I suggest we do the same, even after the move from JCenter to MavenCentral where things should be safer.
>>>>
>>>> What do you think?
>>>>
>>>> [1] https://docs.gradle.org/current/userguide/dependency_verification.html <https://docs.gradle.org/current/userguide/dependency_verification.html>
>>>>
>>>> Jacques
>>>>
Reply | Threaded
Open this post in threaded view
|

Re: [SECURITY] Dependency Confusion

Amit Gadaley
Hello All,

I am not 100% sure following errors are related to this thread or not, but
I have updated my trunk branches of both, ofbiz-framework and
 plugins, repositories. And after that I am unable to clean and build
ofbiz. Here are the error logs from my local server:

amit@amit-Latitude-E6540:~/sandbox/ofbiz-framework$ ./gradlew --scan
cleanAll
Dependency verification is an incubating feature.

FAILURE: Build failed with an exception.

* What went wrong:
Dependency verification failed for configuration 'classpath'
2 artifacts failed verification:
  - gradle-enterprise-gradle-plugin-3.3.4.jar
(com.gradle:gradle-enterprise-gradle-plugin:3.3.4) from repository Gradle
Central Plugin Repository
  - gradle-enterprise-gradle-plugin-3.3.4.pom
(com.gradle:gradle-enterprise-gradle-plugin:3.3.4) from repository Gradle
Central Plugin Repository
If the artifacts are trustworthy, you will need to update the
gradle/verification-metadata.xml file by following the instructions at
https://docs.gradle.org/6.5.1/userguide/dependency_verification.html#sec:troubleshooting-verification

Open this report for more details:
file:///home/amit/sandbox/ofbiz-framework/build/reports/dependency-verification/at-1614431781178/dependency-verification-report.html

* Try:
Run with --stacktrace option to get the stack trace. Run with --info or
--debug option to get more log output. Run with --scan to get full insights.

* Get more help at https://help.gradle.org

BUILD FAILED in 7s

Please let me know if anyone has any suggestions or inputs.

On Tue, Feb 23, 2021 at 5:16 PM Jacques Le Roux <
[hidden email]> wrote:

> Forgot this one: https://central.sonatype.org/pages/ossrh-guide.html
>
> Le 23/02/2021 à 12:41, Jacques Le Roux a écrit :
> > Hi Michael,
> >
> > Yes I see no other ways, not sure how to do it. I found :
> >
> https://discuss.gradle.org/t/host-gradle-wrapper-distributions-on-maven-central/543/2
> >
> https://stackoverflow.com/questions/42908823/publish-to-sonatype-using-new-gradle-plugin-maven-publish
> >
> > Jacques
> >
> > Le 23/02/2021 à 08:53, Michael Brohl a écrit :
> >> Hi Jacques, all,
> >>
> >> we should try to publish the Gradle Wrapper to Maven Central, right?
> >>
> >> Regards,
> >>
> >> Michael Brohl
> >>
> >> ecomify GmbH - www.ecomify.de
> >>
> >>
> >> Am 22.02.21 um 14:08 schrieb Jacques Le Roux:
> >>> Hi,
> >>>
> >>> I created https://issues.apache.org/jira/browse/OFBIZ-12186 for that.
> It's much more simple that I feared.
> >>> I'll soon commit the attached verification-metadata.xml file there, if
> nobody oppose.
> >>>
> >>> We will later need to update it when updating dependencies.
> >>> So I'll also update
> https://cwiki.apache.org/confluence/display/OFBIZ/About+OWASP+Dependency+Check
> >>>
> >>> As actually we no longer use OWASP+Dependency+Check (does not fit with
> Gradle), we need to remove this page but keep the last section in a new
> >>> page. With the switch from jcenter to Maven Central we also need to
> modify this last section.
> >>>
> >>> We also need to update
> >>>
> https://cwiki.apache.org/confluence/display/OFBIZ/Release+Management+Guide+for+OFBiz
> >>>
> https://cwiki.apache.org/confluence/display/OFBIZ/Load+new+gradle+wrapper+version+on+bintray
> >>> https://issues.apache.org/jira/browse/OFBIZ-10213
> >>>
> >>> I'll do so in relation, with OFBIZ-12186
> >>>
> >>> Jacques
> >>>
> >>> Le 13/02/2021 à 12:50, Jacques Le Roux a écrit :
> >>>> Hi,
> >>>>
> >>>> I just read a members thread about this article:
> https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
> >>>>
> >>>> One member mentioned that the Groovy project is using the Gradle's
> dependency verification feature[1] in the Apache Groovy build.
> >>>>
> >>>> I suggest we do the same, even after the move from JCenter to
> MavenCentral where things should be safer.
> >>>>
> >>>> What do you think?
> >>>>
> >>>> [1]
> https://docs.gradle.org/current/userguide/dependency_verification.html <
> https://docs.gradle.org/current/userguide/dependency_verification.html>
> >>>>
> >>>> Jacques
> >>>>
>


--
Kind Regards,
Amit Gadaley
*Technical Consultant*
*HotWax Systems*
*Enterprise open source experts*
cell: +91-95845-93069
office: 0731-409-3684
http://www.hotwaxsystems.com
Reply | Threaded
Open this post in threaded view
|

Re: [SECURITY] Dependency Confusion

Jacques Le Roux
Administrator
Hi Amit,

Yes it's related to https://issues.apache.org/jira/browse/OFBIZ-12186

It's now disabled because it seems it only works on my local machine for now

Please follow https://ci.apache.org/builders/ofbizTrunkFramework

Jacques

Le 27/02/2021 à 14:37, Amit Gadaley a écrit :

> Hello All,
>
> I am not 100% sure following errors are related to this thread or not, but
> I have updated my trunk branches of both, ofbiz-framework and
>   plugins, repositories. And after that I am unable to clean and build
> ofbiz. Here are the error logs from my local server:
>
> amit@amit-Latitude-E6540:~/sandbox/ofbiz-framework$ ./gradlew --scan
> cleanAll
> Dependency verification is an incubating feature.
>
> FAILURE: Build failed with an exception.
>
> * What went wrong:
> Dependency verification failed for configuration 'classpath'
> 2 artifacts failed verification:
>    - gradle-enterprise-gradle-plugin-3.3.4.jar
> (com.gradle:gradle-enterprise-gradle-plugin:3.3.4) from repository Gradle
> Central Plugin Repository
>    - gradle-enterprise-gradle-plugin-3.3.4.pom
> (com.gradle:gradle-enterprise-gradle-plugin:3.3.4) from repository Gradle
> Central Plugin Repository
> If the artifacts are trustworthy, you will need to update the
> gradle/verification-metadata.xml file by following the instructions at
> https://docs.gradle.org/6.5.1/userguide/dependency_verification.html#sec:troubleshooting-verification
>
> Open this report for more details:
> file:///home/amit/sandbox/ofbiz-framework/build/reports/dependency-verification/at-1614431781178/dependency-verification-report.html
>
> * Try:
> Run with --stacktrace option to get the stack trace. Run with --info or
> --debug option to get more log output. Run with --scan to get full insights.
>
> * Get more help at https://help.gradle.org
>
> BUILD FAILED in 7s
>
> Please let me know if anyone has any suggestions or inputs.
>
> On Tue, Feb 23, 2021 at 5:16 PM Jacques Le Roux <
> [hidden email]> wrote:
>
>> Forgot this one: https://central.sonatype.org/pages/ossrh-guide.html
>>
>> Le 23/02/2021 à 12:41, Jacques Le Roux a écrit :
>>> Hi Michael,
>>>
>>> Yes I see no other ways, not sure how to do it. I found :
>>>
>> https://discuss.gradle.org/t/host-gradle-wrapper-distributions-on-maven-central/543/2
>> https://stackoverflow.com/questions/42908823/publish-to-sonatype-using-new-gradle-plugin-maven-publish
>>> Jacques
>>>
>>> Le 23/02/2021 à 08:53, Michael Brohl a écrit :
>>>> Hi Jacques, all,
>>>>
>>>> we should try to publish the Gradle Wrapper to Maven Central, right?
>>>>
>>>> Regards,
>>>>
>>>> Michael Brohl
>>>>
>>>> ecomify GmbH - www.ecomify.de
>>>>
>>>>
>>>> Am 22.02.21 um 14:08 schrieb Jacques Le Roux:
>>>>> Hi,
>>>>>
>>>>> I created https://issues.apache.org/jira/browse/OFBIZ-12186 for that.
>> It's much more simple that I feared.
>>>>> I'll soon commit the attached verification-metadata.xml file there, if
>> nobody oppose.
>>>>> We will later need to update it when updating dependencies.
>>>>> So I'll also update
>> https://cwiki.apache.org/confluence/display/OFBIZ/About+OWASP+Dependency+Check
>>>>> As actually we no longer use OWASP+Dependency+Check (does not fit with
>> Gradle), we need to remove this page but keep the last section in a new
>>>>> page. With the switch from jcenter to Maven Central we also need to
>> modify this last section.
>>>>> We also need to update
>>>>>
>> https://cwiki.apache.org/confluence/display/OFBIZ/Release+Management+Guide+for+OFBiz
>> https://cwiki.apache.org/confluence/display/OFBIZ/Load+new+gradle+wrapper+version+on+bintray
>>>>> https://issues.apache.org/jira/browse/OFBIZ-10213
>>>>>
>>>>> I'll do so in relation, with OFBIZ-12186
>>>>>
>>>>> Jacques
>>>>>
>>>>> Le 13/02/2021 à 12:50, Jacques Le Roux a écrit :
>>>>>> Hi,
>>>>>>
>>>>>> I just read a members thread about this article:
>> https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
>>>>>> One member mentioned that the Groovy project is using the Gradle's
>> dependency verification feature[1] in the Apache Groovy build.
>>>>>> I suggest we do the same, even after the move from JCenter to
>> MavenCentral where things should be safer.
>>>>>> What do you think?
>>>>>>
>>>>>> [1]
>> https://docs.gradle.org/current/userguide/dependency_verification.html <
>> https://docs.gradle.org/current/userguide/dependency_verification.html>
>>>>>> Jacques
>>>>>>
>