CWE-1104: Maven POM dependence upon Bintray/JCenter

2026-04-29 02:35:15 +02:00 · 2021-02-05 12:47:57 -05:00
parent 7fef1a8817
commit bfa9324266
7 changed files with 194 additions and 0 deletions
--- a/java/ql/test/query-tests/security/CWE-1104/semmle/tests/A.java
+++ b/java/ql/test/query-tests/security/CWE-1104/semmle/tests/A.java
@@ -0,0 +1,2 @@
+public class A {
+}
--- a/java/ql/test/query-tests/security/CWE-1104/semmle/tests/MavenPomDependsOnBintray.expected
+++ b/java/ql/test/query-tests/security/CWE-1104/semmle/tests/MavenPomDependsOnBintray.expected
@@ -0,0 +1,5 @@
+| bad-bintray-pom.xml:17:9:22:22 | repository | Downloading or uploading artifacts to depricated repository https://jcenter.bintray.com |
+| bad-bintray-pom.xml:23:9:28:30 | snapshotRepository | Downloading or uploading artifacts to depricated repository https://jcenter.bintray.com |
+| bad-bintray-pom.xml:31:9:36:22 | repository | Downloading or uploading artifacts to depricated repository https://jcenter.bintray.com |
+| bad-bintray-pom.xml:39:9:44:22 | repository | Downloading or uploading artifacts to depricated repository https://dl.bintray.com/groovy/maven |
+| bad-bintray-pom.xml:47:9:52:28 | pluginRepository | Downloading or uploading artifacts to depricated repository https://jcenter.bintray.com |
--- a/java/ql/test/query-tests/security/CWE-1104/semmle/tests/MavenPomDependsOnBintray.qlref
+++ b/java/ql/test/query-tests/security/CWE-1104/semmle/tests/MavenPomDependsOnBintray.qlref
@@ -0,0 +1 @@
+Security/CWE/CWE-1104/MavenPomDependsOnBintray.ql
--- a/java/ql/test/query-tests/security/CWE-1104/semmle/tests/bad-bintray-pom.xml
+++ b/java/ql/test/query-tests/security/CWE-1104/semmle/tests/bad-bintray-pom.xml
@@ -0,0 +1,54 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>com.semmle</groupId>
+    <artifactId>parent</artifactId>
+    <version>1.0</version>
+    <packaging>pom</packaging>
+
+    <name>Bintray Usage Testing</name>
+    <description>An example of using bintray as a repository</description>
+
+    <distributionManagement>
+        <repository>
+            <id>jcenter</id>
+            <name>JCenter</name>
+            <!-- BAD! Don't use JCenter -->
+            <url>https://jcenter.bintray.com</url>
+        </repository>
+        <snapshotRepository>
+            <id>jcenter-snapshots</id>
+            <name>JCenter</name>
+            <!-- BAD! Don't use JCenter -->
+            <url>https://jcenter.bintray.com</url>
+        </snapshotRepository>
+    </distributionManagement>
+    <repositories>
+        <repository>
+            <id>jcenter</id>
+            <name>JCenter</name>
+            <!-- BAD! Don't use JCenter -->
+            <url>https://jcenter.bintray.com</url>
+        </repository>
+    </repositories>
+    <repositories>
+        <repository>
+            <id>jcenter</id>
+            <name>JCenter</name>
+            <!-- BAD! Don't use Bintray -->
+            <url>https://dl.bintray.com/groovy/maven</url>
+        </repository>
+    </repositories>
+    <pluginRepositories>
+        <pluginRepository>
+            <id>jcenter-plugins</id>
+            <name>JCenter</name>
+            <!-- BAD! Don't use JCenter -->
+            <url>https://jcenter.bintray.com</url>
+        </pluginRepository>
+    </pluginRepositories>
+</project>
				`@@ -0,0 +1 @@`
				`Security/CWE/CWE-1104/MavenPomDependsOnBintray.ql`