From bfa93242669803fb000f2e54b3469649852dfbe4 Mon Sep 17 00:00:00 2001 From: Jonathan Leitschuh Date: Fri, 5 Feb 2021 12:47:57 -0500 Subject: [PATCH 01/11] CWE-1104: Maven POM dependence upon Bintray/JCenter --- .../CWE-1104/MavenPomDependsOnBintray.qhelp | 45 ++++++++++++++++ .../CWE/CWE-1104/MavenPomDependsOnBintray.ql | 33 ++++++++++++ .../Security/CWE/CWE-1104/bad-bintray-pom.xml | 54 +++++++++++++++++++ .../security/CWE-1104/semmle/tests/A.java | 2 + .../tests/MavenPomDependsOnBintray.expected | 5 ++ .../tests/MavenPomDependsOnBintray.qlref | 1 + .../CWE-1104/semmle/tests/bad-bintray-pom.xml | 54 +++++++++++++++++++ 7 files changed, 194 insertions(+) create mode 100644 java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.qhelp create mode 100644 java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.ql create mode 100644 java/ql/src/Security/CWE/CWE-1104/bad-bintray-pom.xml create mode 100644 java/ql/test/query-tests/security/CWE-1104/semmle/tests/A.java create mode 100644 java/ql/test/query-tests/security/CWE-1104/semmle/tests/MavenPomDependsOnBintray.expected create mode 100644 java/ql/test/query-tests/security/CWE-1104/semmle/tests/MavenPomDependsOnBintray.qlref create mode 100644 java/ql/test/query-tests/security/CWE-1104/semmle/tests/bad-bintray-pom.xml diff --git a/java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.qhelp b/java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.qhelp new file mode 100644 index 00000000000..08f9ccb6ac8 --- /dev/null +++ b/java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.qhelp @@ -0,0 +1,45 @@ + + + +

Bintray and JCenter are shutting down on May 1st, 20201. +Relying upon repositories that are deprecated or slated to be shutdown can have unintended consequences; +for example, artifacts being resolved from different artifact server or total breakage of the CI build.

+ +

When artifact repositories are left unmaintained for a long period of time, vulnerabilities may emerge. +Theoretically, this could allow attackers to inject malicious code into the artifacts that you are resolving and infect build artifacts +that are being produced. This can be used by attackers to perform a +Supply chain attack +against your project's users. +

+ + + + +

Always use the cononical repository for resolving your dependencies.

+ + + + + +

This examples show examples of locations in Maven POM files where artifact repository upload/download is configured. +The use of Bintray in any of these locaitons is not advised. +

+ + + + + +
  • + Blog: + + Into the Sunset on May 1st: Bintray, JCenter, GoCenter, and ChartCenter + +
    • + + + +     +     diff --git a/java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.ql b/java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.ql new file mode 100644 index 00000000000..1195ca970fa --- /dev/null +++ b/java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.ql @@ -0,0 +1,33 @@ +/** + * @name Depending upon JCenter/Bintray as an artifact repository + * @description JCenter & Bintray are deprecated + * @kind problem + * @problem.severity error + * @precision very-high + * @id java/maven/dependency-upon-bintray + * @tags security + * external/cwe/cwe-1104 + */ + +import java +import semmle.code.xml.MavenPom + +private class DeclaredRepository extends PomElement { + DeclaredRepository() { + this.getName() = "repository" or + this.getName() = "snapshotRepository" or + this.getName() = "pluginRepository" + } + + string getUrl() { result = getAChild("url").(PomElement).getValue() } + + predicate isBintrayRepositoryUsage() { + getUrl().matches("%.bintray.com%") + } +} + +from DeclaredRepository repository +where repository.isBintrayRepositoryUsage() +select repository, + "Downloading or uploading artifacts to deprecated repository " + + repository.getUrl() diff --git a/java/ql/src/Security/CWE/CWE-1104/bad-bintray-pom.xml b/java/ql/src/Security/CWE/CWE-1104/bad-bintray-pom.xml new file mode 100644 index 00000000000..d250f86467f --- /dev/null +++ b/java/ql/src/Security/CWE/CWE-1104/bad-bintray-pom.xml @@ -0,0 +1,54 @@ + + + + 4.0.0 + + com.semmle + parent + 1.0 + pom + + Bintray Usage + An example of using bintray to download and upload dependencies + + + + jcenter + JCenter + + https://jcenter.bintray.com + + + jcenter-snapshots + JCenter + + https://jcenter.bintray.com + + + + + jcenter + JCenter + + https://jcenter.bintray.com + + + + + jcenter + JCenter + + https://dl.bintray.com/groovy/maven + + + + + jcenter-plugins + JCenter + + https://jcenter.bintray.com + + + diff --git a/java/ql/test/query-tests/security/CWE-1104/semmle/tests/A.java b/java/ql/test/query-tests/security/CWE-1104/semmle/tests/A.java new file mode 100644 index 00000000000..f7e8cc3b903 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-1104/semmle/tests/A.java @@ -0,0 +1,2 @@ +public class A { +} diff --git a/java/ql/test/query-tests/security/CWE-1104/semmle/tests/MavenPomDependsOnBintray.expected b/java/ql/test/query-tests/security/CWE-1104/semmle/tests/MavenPomDependsOnBintray.expected new file mode 100644 index 00000000000..703df9b9a52 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-1104/semmle/tests/MavenPomDependsOnBintray.expected @@ -0,0 +1,5 @@ +| bad-bintray-pom.xml:17:9:22:22 | repository | Downloading or uploading artifacts to depricated repository https://jcenter.bintray.com | +| bad-bintray-pom.xml:23:9:28:30 | snapshotRepository | Downloading or uploading artifacts to depricated repository https://jcenter.bintray.com | +| bad-bintray-pom.xml:31:9:36:22 | repository | Downloading or uploading artifacts to depricated repository https://jcenter.bintray.com | +| bad-bintray-pom.xml:39:9:44:22 | repository | Downloading or uploading artifacts to depricated repository https://dl.bintray.com/groovy/maven | +| bad-bintray-pom.xml:47:9:52:28 | pluginRepository | Downloading or uploading artifacts to depricated repository https://jcenter.bintray.com | diff --git a/java/ql/test/query-tests/security/CWE-1104/semmle/tests/MavenPomDependsOnBintray.qlref b/java/ql/test/query-tests/security/CWE-1104/semmle/tests/MavenPomDependsOnBintray.qlref new file mode 100644 index 00000000000..9f05b219bfe --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-1104/semmle/tests/MavenPomDependsOnBintray.qlref @@ -0,0 +1 @@ +Security/CWE/CWE-1104/MavenPomDependsOnBintray.ql diff --git a/java/ql/test/query-tests/security/CWE-1104/semmle/tests/bad-bintray-pom.xml b/java/ql/test/query-tests/security/CWE-1104/semmle/tests/bad-bintray-pom.xml new file mode 100644 index 00000000000..7e133256428 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-1104/semmle/tests/bad-bintray-pom.xml @@ -0,0 +1,54 @@ + + + + 4.0.0 + + com.semmle + parent + 1.0 + pom + + Bintray Usage Testing + An example of using bintray as a repository + + + + jcenter + JCenter + + https://jcenter.bintray.com + + + jcenter-snapshots + JCenter + + https://jcenter.bintray.com + + + + + jcenter + JCenter + + https://jcenter.bintray.com + + + + + jcenter + JCenter + + https://dl.bintray.com/groovy/maven + + + + + jcenter-plugins + JCenter + + https://jcenter.bintray.com + + + From f00b0baaea2a5fb507237187004659fbe972cbb1 Mon Sep 17 00:00:00 2001 From: Jonathan Leitschuh Date: Fri, 5 Feb 2021 16:31:37 -0500 Subject: [PATCH 02/11] Update java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.qhelp Co-authored-by: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com> --- .../ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.qhelp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.qhelp b/java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.qhelp index 08f9ccb6ac8..9b0330c2446 100644 --- a/java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.qhelp +++ b/java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.qhelp @@ -3,7 +3,7 @@ "qhelp.dtd"> -

    Bintray and JCenter are shutting down on May 1st, 20201. +

    Bintray and JCenter are shutting down on May 1st, 2021. Relying upon repositories that are deprecated or slated to be shutdown can have unintended consequences; for example, artifacts being resolved from different artifact server or total breakage of the CI build.

    From 49985a77e34824e47a1411f7aa09833263161a9d Mon Sep 17 00:00:00 2001 From: Jonathan Leitschuh Date: Wed, 10 Feb 2021 10:51:37 -0500 Subject: [PATCH 03/11] Apply suggestions from code review Co-authored-by: Marcono1234 Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com> --- .../CWE/CWE-1104/MavenPomDependsOnBintray.qhelp | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.qhelp b/java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.qhelp index 9b0330c2446..43d9c896099 100644 --- a/java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.qhelp +++ b/java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.qhelp @@ -10,21 +10,21 @@ for example, artifacts being resolved from different artifact server or total br

    When artifact repositories are left unmaintained for a long period of time, vulnerabilities may emerge. Theoretically, this could allow attackers to inject malicious code into the artifacts that you are resolving and infect build artifacts that are being produced. This can be used by attackers to perform a -Supply chain attack +supply chain attack against your project's users.

    -

    Always use the cononical repository for resolving your dependencies.

    +

    Always use the canonical repository for resolving your dependencies.

     -

    This examples show examples of locations in Maven POM files where artifact repository upload/download is configured. -The use of Bintray in any of these locaitons is not advised. +

    The following example shows locations in a Maven POM file where artifact repository upload/download is configured. +The use of Bintray in any of these locations is not advised.

    @@ -32,7 +32,7 @@ The use of Bintray in any of these locaitons is not advised.
  • - Blog: + JFrog blog: Into the Sunset on May 1st: Bintray, JCenter, GoCenter, and ChartCenter From 21b6f35ddc9006f2e6c142edeb495293ea3d2cc8 Mon Sep 17 00:00:00 2001 From: Jonathan Leitschuh Date: Wed, 10 Feb 2021 10:52:27 -0500 Subject: [PATCH 04/11] Update java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.qhelp --- .../ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.qhelp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.qhelp b/java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.qhelp index 43d9c896099..0b19a955a5d 100644 --- a/java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.qhelp +++ b/java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.qhelp @@ -3,7 +3,7 @@ "qhelp.dtd"> -

    Bintray and JCenter are shutting down on May 1st, 2021. +

    Bintray and JCenter are shutting down on February 1st, 2022. Relying upon repositories that are deprecated or slated to be shutdown can have unintended consequences; for example, artifacts being resolved from different artifact server or total breakage of the CI build.

    From 3b92f97967a515bfd0270783f8bc148bbd772eac Mon Sep 17 00:00:00 2001 From: Jonathan Leitschuh Date: Wed, 10 Feb 2021 11:41:50 -0500 Subject: [PATCH 05/11] Refactor DeclaredRepository to library --- .../CWE/CWE-1104/MavenPomDependsOnBintray.ql | 19 ++++--------------- .../CWE-829/InsecureDependencyResolution.ql | 16 +++------------- java/ql/src/semmle/code/xml/MavenPom.qll | 11 +++++++++++ 3 files changed, 18 insertions(+), 28 deletions(-) diff --git a/java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.ql b/java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.ql index 1195ca970fa..5f6a0834428 100644 --- a/java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.ql +++ b/java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.ql @@ -12,22 +12,11 @@ import java import semmle.code.xml.MavenPom -private class DeclaredRepository extends PomElement { - DeclaredRepository() { - this.getName() = "repository" or - this.getName() = "snapshotRepository" or - this.getName() = "pluginRepository" - } - - string getUrl() { result = getAChild("url").(PomElement).getValue() } - - predicate isBintrayRepositoryUsage() { - getUrl().matches("%.bintray.com%") - } +predicate isBintrayRepositoryUsage(DeclaredRepository repository) { + repository.getUrl().matches("%.bintray.com%") } from DeclaredRepository repository -where repository.isBintrayRepositoryUsage() +where isBintrayRepositoryUsage(repository) select repository, - "Downloading or uploading artifacts to deprecated repository " + - repository.getUrl() + "Downloading or uploading artifacts to deprecated repository " + repository.getUrl() diff --git a/java/ql/src/Security/CWE/CWE-829/InsecureDependencyResolution.ql b/java/ql/src/Security/CWE/CWE-829/InsecureDependencyResolution.ql index 3899c48cf04..50c2dc1e05e 100644 --- a/java/ql/src/Security/CWE/CWE-829/InsecureDependencyResolution.ql +++ b/java/ql/src/Security/CWE/CWE-829/InsecureDependencyResolution.ql @@ -15,22 +15,12 @@ import java import semmle.code.xml.MavenPom -private class DeclaredRepository extends PomElement { - DeclaredRepository() { - this.getName() = "repository" or - this.getName() = "snapshotRepository" or - this.getName() = "pluginRepository" - } - - string getUrl() { result = getAChild("url").(PomElement).getValue() } - - predicate isInsecureRepositoryUsage() { - getUrl().regexpMatch("(?i)^(http|ftp)://(?!localhost[:/]).*") - } +predicate isInsecureRepositoryUsage(DeclaredRepository repository) { + repository.getUrl().regexpMatch("(?i)^(http|ftp)://(?!localhost[:/]).*") } from DeclaredRepository repository -where repository.isInsecureRepositoryUsage() +where isInsecureRepositoryUsage(repository) select repository, "Downloading or uploading artifacts over insecure protocol (eg. http or ftp) to/from repository " + repository.getUrl() diff --git a/java/ql/src/semmle/code/xml/MavenPom.qll b/java/ql/src/semmle/code/xml/MavenPom.qll index 0a545c0bc99..d3285c9fdcb 100644 --- a/java/ql/src/semmle/code/xml/MavenPom.qll +++ b/java/ql/src/semmle/code/xml/MavenPom.qll @@ -365,6 +365,17 @@ class PomProperty extends PomElement { PomProperty() { getParent() instanceof PomProperties } } +/** + * A repository block inside of a maven pom. + */ +class DeclaredRepository extends PomElement { + DeclaredRepository() { + this.getName() = ["repository", "snapshotRepository", "pluginRepository"] + } + + string getUrl() { result = getAChild("url").(PomElement).getValue() } +} + /** * A folder that represents a maven local repository using the standard layout. Any folder called * "repository" with a parent name ".m2" is considered to be a maven repository. From 35e2ceba137b5735686a99699ebef888c01497ba Mon Sep 17 00:00:00 2001 From: Jonathan Leitschuh Date: Thu, 11 Feb 2021 08:59:02 -0500 Subject: [PATCH 06/11] Update java/ql/src/semmle/code/xml/MavenPom.qll Co-authored-by: Marcono1234 --- java/ql/src/semmle/code/xml/MavenPom.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/java/ql/src/semmle/code/xml/MavenPom.qll b/java/ql/src/semmle/code/xml/MavenPom.qll index d3285c9fdcb..0b7b8516dbb 100644 --- a/java/ql/src/semmle/code/xml/MavenPom.qll +++ b/java/ql/src/semmle/code/xml/MavenPom.qll @@ -366,7 +366,7 @@ class PomProperty extends PomElement { } /** - * A repository block inside of a maven pom. + * An XML element representing any kind of repository declared inside of a Maven POM XML file. */ class DeclaredRepository extends PomElement { DeclaredRepository() { From 73fba3a3c0af769922049f3029476b35b1032465 Mon Sep 17 00:00:00 2001 From: Jonathan Leitschuh Date: Mon, 15 Feb 2021 10:01:03 -0500 Subject: [PATCH 07/11] Apply suggestions from code review Co-authored-by: Felicity Chapman --- .../src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.qhelp | 4 ++-- java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.ql | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.qhelp b/java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.qhelp index 0b19a955a5d..dc3ffdd86d4 100644 --- a/java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.qhelp +++ b/java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.qhelp @@ -4,8 +4,8 @@

    Bintray and JCenter are shutting down on February 1st, 2022. -Relying upon repositories that are deprecated or slated to be shutdown can have unintended consequences; -for example, artifacts being resolved from different artifact server or total breakage of the CI build.

    +Relying upon repositories that are deprecated or scheduled to be shutdown can have unintended consequences; +for example, artifacts being resolved from a different artifact server or a total failure of the CI build.

    When artifact repositories are left unmaintained for a long period of time, vulnerabilities may emerge. Theoretically, this could allow attackers to inject malicious code into the artifacts that you are resolving and infect build artifacts diff --git a/java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.ql b/java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.ql index 5f6a0834428..936da80a9d9 100644 --- a/java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.ql +++ b/java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.ql @@ -1,6 +1,6 @@ /** * @name Depending upon JCenter/Bintray as an artifact repository - * @description JCenter & Bintray are deprecated + * @description Using a deprecated artifact repository may eventually give attackers access for a supply chain attack. * @kind problem * @problem.severity error * @precision very-high From a8167c6c9cd0bc9953fedb0c2a6c995bb8db80c2 Mon Sep 17 00:00:00 2001 From: Jonathan Leitschuh Date: Tue, 16 Feb 2021 11:21:19 -0500 Subject: [PATCH 08/11] Add docstring for DeclaredRepository.getUrl --- java/ql/src/semmle/code/xml/MavenPom.qll | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/java/ql/src/semmle/code/xml/MavenPom.qll b/java/ql/src/semmle/code/xml/MavenPom.qll index f8cfceaa4a4..ecfc2c7855e 100644 --- a/java/ql/src/semmle/code/xml/MavenPom.qll +++ b/java/ql/src/semmle/code/xml/MavenPom.qll @@ -376,6 +376,10 @@ class DeclaredRepository extends PomElement { this.getName() = ["repository", "snapshotRepository", "pluginRepository"] } + /** + * Gets the url for this repository. If the `url` tag is present, this will + * be the string contents of that tag. + */ string getUrl() { result = getAChild("url").(PomElement).getValue() } } From c43765917f9994e041d5d6607703799d4ab9ebb9 Mon Sep 17 00:00:00 2001 From: Jonathan Leitschuh Date: Wed, 17 Feb 2021 11:55:10 -0500 Subject: [PATCH 09/11] Fix formatting of MavenPom.qll --- java/ql/src/semmle/code/xml/MavenPom.qll | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/java/ql/src/semmle/code/xml/MavenPom.qll b/java/ql/src/semmle/code/xml/MavenPom.qll index ecfc2c7855e..7619be3293a 100644 --- a/java/ql/src/semmle/code/xml/MavenPom.qll +++ b/java/ql/src/semmle/code/xml/MavenPom.qll @@ -372,9 +372,7 @@ class PomProperty extends PomElement { * An XML element representing any kind of repository declared inside of a Maven POM XML file. */ class DeclaredRepository extends PomElement { - DeclaredRepository() { - this.getName() = ["repository", "snapshotRepository", "pluginRepository"] - } + DeclaredRepository() { this.getName() = ["repository", "snapshotRepository", "pluginRepository"] } /** * Gets the url for this repository. If the `url` tag is present, this will From ad99aa2d76e01d495794a274f146a048fe2fe6b0 Mon Sep 17 00:00:00 2001 From: Jonathan Leitschuh Date: Mon, 22 Feb 2021 13:26:51 -0500 Subject: [PATCH 10/11] Fix typo in test output --- .../semmle/tests/MavenPomDependsOnBintray.expected | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/java/ql/test/query-tests/security/CWE-1104/semmle/tests/MavenPomDependsOnBintray.expected b/java/ql/test/query-tests/security/CWE-1104/semmle/tests/MavenPomDependsOnBintray.expected index 703df9b9a52..2a7e47d0e65 100644 --- a/java/ql/test/query-tests/security/CWE-1104/semmle/tests/MavenPomDependsOnBintray.expected +++ b/java/ql/test/query-tests/security/CWE-1104/semmle/tests/MavenPomDependsOnBintray.expected @@ -1,5 +1,5 @@ -| bad-bintray-pom.xml:17:9:22:22 | repository | Downloading or uploading artifacts to depricated repository https://jcenter.bintray.com | -| bad-bintray-pom.xml:23:9:28:30 | snapshotRepository | Downloading or uploading artifacts to depricated repository https://jcenter.bintray.com | -| bad-bintray-pom.xml:31:9:36:22 | repository | Downloading or uploading artifacts to depricated repository https://jcenter.bintray.com | -| bad-bintray-pom.xml:39:9:44:22 | repository | Downloading or uploading artifacts to depricated repository https://dl.bintray.com/groovy/maven | -| bad-bintray-pom.xml:47:9:52:28 | pluginRepository | Downloading or uploading artifacts to depricated repository https://jcenter.bintray.com | +| bad-bintray-pom.xml:17:9:22:22 | repository | Downloading or uploading artifacts to deprecated repository https://jcenter.bintray.com | +| bad-bintray-pom.xml:23:9:28:30 | snapshotRepository | Downloading or uploading artifacts to deprecated repository https://jcenter.bintray.com | +| bad-bintray-pom.xml:31:9:36:22 | repository | Downloading or uploading artifacts to deprecated repository https://jcenter.bintray.com | +| bad-bintray-pom.xml:39:9:44:22 | repository | Downloading or uploading artifacts to deprecated repository https://dl.bintray.com/groovy/maven | +| bad-bintray-pom.xml:47:9:52:28 | pluginRepository | Downloading or uploading artifacts to deprecated repository https://jcenter.bintray.com | From 237fefbcf128df5c3201e1a10316c61939816d19 Mon Sep 17 00:00:00 2001 From: Jonathan Leitschuh Date: Wed, 24 Feb 2021 11:19:20 -0500 Subject: [PATCH 11/11] Add release notes --- java/change-notes/2021-02-23-deprecated-jcenter-bintray.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 java/change-notes/2021-02-23-deprecated-jcenter-bintray.md diff --git a/java/change-notes/2021-02-23-deprecated-jcenter-bintray.md b/java/change-notes/2021-02-23-deprecated-jcenter-bintray.md new file mode 100644 index 00000000000..375b0379e4f --- /dev/null +++ b/java/change-notes/2021-02-23-deprecated-jcenter-bintray.md @@ -0,0 +1,4 @@ +lgtm,codescanning +* A new query "Depending upon JCenter/Bintray as an artifact repository" + (`java/maven/dependency-upon-bintray`) has been added. + This query finds uses of the deprecated JCenter/Bintray artifact respositories. \ No newline at end of file