[FOLIO-3044] https for http://maven.indexdata.com/ (MITM attack) Created: 01/Mar/21  Updated: 23/Apr/21  Resolved: 07/Apr/21

Status: Closed
Project: FOLIO
Components: None
Affects versions: None
Fix versions: None

Type: Bug Priority: P3
Reporter: Julian Ladisch Assignee: John Malconian
Resolution: Done Votes: 0
Labels: security, security-reviewed
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Issue links:
Blocks
blocks FOLIO-3045 Replace http by https in http://maven... Closed
Sprint: DevOps Sprint 111
Development Team: FOLIO DevOps

 Description   

http://maven.indexdata.com/ is flagged as vulnerable to a MITM attack by GitHub CodeQL code scanner for failing to provide https (encryption):
https://github.com/folio-org/raml-module-builder/security/code-scanning

http://maven.indexdata.com/ is a public repository advertised on https://mvnrepository.com/repos/indexdata

RMB has a dependency on cql-java and downloads it from that repository: https://mvnrepository.com/artifact/org.z3950.zing/cql-java/1.13

A machine-in-the-middle attack can change the download to contain malware. Using https will prevent this.

The issue has been confirmed on Slack #devops-internal on December 8th, 2020.

Tasks:



 Comments   
Comment by John Malconian [ 07/Apr/21 ]

Julian Ladisch I've completed the first task. I'm not sure how to complete the second task (Publish the https URL on https://mvnrepository.com/repos/indexdata). Can you give me a hint?

Comment by Julian Ladisch [ 07/Apr/21 ]

Thank you for enabling public https access!

Regarding mvnrepository.com:

I don't see a way how to update the URL on mvnrepository.com, the indexdata repository has probably been added using some method that became deprecated.

This issue can be closed as done.

Generated at Thu Feb 08 23:25:11 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.