[FOLIO-3106] Update Index Data maven repo url Created: 07/Apr/21  Updated: 21/Jun/21  Resolved: 11/Jun/21

Status: Closed
Project: FOLIO
Components: None
Affects versions: None
Fix versions: None

Type: Task Priority: P2
Reporter: Adam Dickmeiss Assignee: Adam Dickmeiss
Resolution: Done Votes: 0
Labels: security, security-reviewed
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Issue links:
Relates
relates to FOLIO-3045 Replace http by https in http://maven... Closed
relates to FOLIO-3131 Use https for maven.k-int.com Closed
relates to MODCPCT-28 Update maven.indexdata.com url Closed
relates to MODINV-430 Update dependencies to replace http b... Closed
relates to RMB-823 Update maven.indexdata.com url Closed
Sprint:
Development Team: None

 Description   

Starting with maven 3.8.1, http-based maven repositories are unsupported.

 

This is a problem for projects using http://maven.indexdata.com . They should use https://maven.indexdata.com (which is accessible from today)

 

https://maven.apache.org/docs/3.8.1/release-notes.html#cve-2021-26291

This maven MitM attack has been well known since 2019:
https://github.com/github/securitylab/issues/21 "Java (Maven): Use of insecure protocol to download/upload artifacts"



 Comments   
Comment by Peter Murray [ 12/Apr/21 ]

Hey, Adam—I think this was fixed last week. Can you verify?

Comment by Julian Ladisch [ 11/Jun/21 ]

All issues have been fixed:
https://github.com/search?q=org%3Afolio-org+%22http%3A%2F%2Fmaven.indexdata.com%22&type=Code

Two two remaining repositories have been archived, are no longer used and thus don't need a fix:
https://github.com/folio-org/okapi-debian/blob/d7f6058f93f08d85e2681a86a44c9f60588eea9f/pom.xml#L136
https://github.com/folio-org/cql2pgjson-java/blob/c1eafb09a6550f8b315a6382d492044a5d5ba253/cql2pgjson/pom.xml#L31

Generated at Thu Feb 08 23:25:39 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.