[FOLIO-3044] https for http://maven.indexdata.com/ (MITM attack) Created: 01/Mar/21 Updated: 23/Apr/21 Resolved: 07/Apr/21 |
|
| Status: | Closed |
| Project: | FOLIO |
| Components: | None |
| Affects versions: | None |
| Fix versions: | None |
| Type: | Bug | Priority: | P3 |
| Reporter: | Julian Ladisch | Assignee: | John Malconian |
| Resolution: | Done | Votes: | 0 |
| Labels: | security, security-reviewed | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original estimate: | Not Specified | ||
| Issue links: |
|
||||||||
| Sprint: | DevOps Sprint 111 | ||||||||
| Development Team: | FOLIO DevOps | ||||||||
| Description |
|
http://maven.indexdata.com/ is flagged as vulnerable to a MITM attack by GitHub CodeQL code scanner for failing to provide https (encryption): http://maven.indexdata.com/ is a public repository advertised on https://mvnrepository.com/repos/indexdata RMB has a dependency on cql-java and downloads it from that repository: https://mvnrepository.com/artifact/org.z3950.zing/cql-java/1.13 A machine-in-the-middle attack can change the download to contain malware. Using https will prevent this. The issue has been confirmed on Slack #devops-internal on December 8th, 2020. Tasks:
|
| Comments |
| Comment by John Malconian [ 07/Apr/21 ] |
|
Julian Ladisch I've completed the first task. I'm not sure how to complete the second task (Publish the https URL on https://mvnrepository.com/repos/indexdata). Can you give me a hint? |
| Comment by Julian Ladisch [ 07/Apr/21 ] |
|
Thank you for enabling public https access! Regarding mvnrepository.com:
I don't see a way how to update the URL on mvnrepository.com, the indexdata repository has probably been added using some method that became deprecated. This issue can be closed as done. |