Merge pull request #2413 from JLLeitschuh/feature/JLL/maven_insecure_artifact_resolution

Java: Use of HTTP/FTP to download/upload Maven artifacts
2026-05-03 12:45:27 +02:00 · 2020-01-02 14:47:30 +01:00
parent 7e84453ec9 75939afe9c
commit 7e987c570f
9 changed files with 305 additions and 0 deletions
--- a/java/ql/test/query-tests/security/CWE-829/semmle/tests/A.java
+++ b/java/ql/test/query-tests/security/CWE-829/semmle/tests/A.java
@@ -0,0 +1,2 @@
+public class A {
+}
--- a/java/ql/test/query-tests/security/CWE-829/semmle/tests/InsecureDependencyResolution.expected
+++ b/java/ql/test/query-tests/security/CWE-829/semmle/tests/InsecureDependencyResolution.expected
@@ -0,0 +1,4 @@
+| insecure-pom.xml:19:9:24:22 | repository | Downloading or uploading artifacts over insecure protocol (eg. http or ftp) to/from repository http://insecure-repository.example |
+| insecure-pom.xml:25:9:30:30 | snapshotRepository | Downloading or uploading artifacts over insecure protocol (eg. http or ftp) to/from repository http://insecure-repository.example |
+| insecure-pom.xml:33:9:38:22 | repository | Downloading or uploading artifacts over insecure protocol (eg. http or ftp) to/from repository http://insecure-repository.example |
+| insecure-pom.xml:41:9:46:28 | pluginRepository | Downloading or uploading artifacts over insecure protocol (eg. http or ftp) to/from repository http://insecure-repository.example |
--- a/java/ql/test/query-tests/security/CWE-829/semmle/tests/InsecureDependencyResolution.qlref
+++ b/java/ql/test/query-tests/security/CWE-829/semmle/tests/InsecureDependencyResolution.qlref
@@ -0,0 +1 @@
+Security/CWE/CWE-829/InsecureDependencyResolution.ql
--- a/java/ql/test/query-tests/security/CWE-829/semmle/tests/insecure-pom.xml
+++ b/java/ql/test/query-tests/security/CWE-829/semmle/tests/insecure-pom.xml
@@ -0,0 +1,48 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+
+    <!-- Duplicated in java/ql/src/Security/CWE/CWE-829/insecure-pom.xml -->
+
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>com.semmle</groupId>
+    <artifactId>parent</artifactId>
+    <version>1.0</version>
+    <packaging>pom</packaging>
+
+    <name>Security Testing</name>
+    <description>An example of insecure download and upload of dependencies</description>
+
+    <distributionManagement>
+        <repository>
+            <id>insecure-releases</id>
+            <name>Insecure Repository Releases</name>
+            <!-- BAD! Use HTTPS -->
+            <url>http://insecure-repository.example</url>
+        </repository>
+        <snapshotRepository>
+            <id>insecure-snapshots</id>
+            <name>Insecure Repository Snapshots</name>
+            <!-- BAD! Use HTTPS -->
+            <url>http://insecure-repository.example</url>
+        </snapshotRepository>
+    </distributionManagement>
+    <repositories>
+        <repository>
+            <id>insecure</id>
+            <name>Insecure Repository</name>
+            <!-- BAD! Use HTTPS -->
+            <url>http://insecure-repository.example</url>
+        </repository>
+    </repositories>
+    <pluginRepositories>
+        <pluginRepository>
+            <id>insecure-plugins</id>
+            <name>Insecure Repository Releases</name>
+            <!-- BAD! Use HTTPS -->
+            <url>http://insecure-repository.example</url>
+        </pluginRepository>
+    </pluginRepositories>
+</project>
--- a/java/ql/test/query-tests/security/CWE-829/semmle/tests/secure-pom.xml
+++ b/java/ql/test/query-tests/security/CWE-829/semmle/tests/secure-pom.xml
@@ -0,0 +1,48 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+
+    <!-- Duplicated in java/ql/src/Security/CWE/CWE-829/secure-pom.xml -->
+
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>com.semmle</groupId>
+    <artifactId>parent</artifactId>
+    <version>1.0</version>
+    <packaging>pom</packaging>
+
+    <name>Security Testing</name>
+    <description>An example of secure download and upload of dependencies</description>
+
+    <distributionManagement>
+        <repository>
+            <id>insecure-releases</id>
+            <name>Secure Repository Releases</name>
+            <!-- GOOD! Use HTTPS -->
+            <url>https://insecure-repository.example</url>
+        </repository>
+        <snapshotRepository>
+            <id>insecure-snapshots</id>
+            <name>Secure Repository Snapshots</name>
+            <!-- GOOD! Use HTTPS -->
+            <url>https://insecure-repository.example</url>
+        </snapshotRepository>
+    </distributionManagement>
+    <repositories>
+        <repository>
+            <id>insecure</id>
+            <name>Secure Repository</name>
+            <!-- GOOD! Use HTTPS -->
+            <url>https://insecure-repository.example</url>
+        </repository>
+    </repositories>
+    <pluginRepositories>
+        <pluginRepository>
+            <id>insecure-plugins</id>
+            <name>Secure Repository Releases</name>
+            <!-- GOOD! Use HTTPS -->
+            <url>https://insecure-repository.example</url>
+        </pluginRepository>
+    </pluginRepositories>
+</project>
				`@@ -0,0 +1 @@`
				`Security/CWE/CWE-829/InsecureDependencyResolution.ql`