Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enforce gradle dependency verification #6443

Conversation

alvasw
Copy link
Contributor

@alvasw alvasw commented Dec 6, 2022

We had some issues with the Gradle Dependency Verification and nobody noticed it because it was not enforced by Gradle. Supply chain attack are sadly a real threat that should not be underestimated.

The following artifacts failed verification:
  - javafx-base-16-linux.jar (org.openjfx:javafx-base:16) from repository MavenRepo
  - javafx-controls-16-linux.jar (org.openjfx:javafx-controls:16) from repository MavenRepo
  - javafx-fxml-16-linux.jar (org.openjfx:javafx-fxml:16) from repository MavenRepo
  - javafx-graphics-16-linux.jar (org.openjfx:javafx-graphics:16) from repository MavenRepo
  - protoc-3.19.1-linux-x86_64.exe (com.google.protobuf:protoc:3.19.1) from repository MavenRepo
  - protoc-gen-grpc-java-1.42.1-linux-x86_64.exe (io.grpc:protoc-gen-grpc-java:1.42.1) from repository MavenRepo
  - jackson-base-2.12.1.pom
  - protoc-3.19.1-windows-x86_64.exe
  - protoc-gen-grpc-java-1.42.1-windows-x86_64.exe
  - junit-bom-5.7.0.pom
  - javafx-base-16-win.jar
  - javafx-controls-16-win.jar
  - javafx-fxml-16-win.jar
  - javafx-graphics-16-win.jar
The built-in Gradle dependency verification XML writer does not find all
our libraries for some unknown reason. I had to compute and add multiple
hashes manually. It seems like it is OS related and the CI output helped
to fix the problem. The console output makes it hard to fix issues
because we cannot access the generated HTML file. This change reenables
the verbose failure report.
We had some issues with the Gradle Dependency Verification and nobody
noticed it because it was not enforced by Gradle. Supply chain attack
are sadly a real threat that should not be underestimated.
@alvasw alvasw marked this pull request as ready for review December 6, 2022 19:40
@alejandrogarcia83 alejandrogarcia83 added this to the v1.9.7 milestone Dec 6, 2022
Copy link
Contributor

@alejandrogarcia83 alejandrogarcia83 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

utACK

@alejandrogarcia83 alejandrogarcia83 merged commit 555742d into bisq-network:master Dec 6, 2022
@alvasw alvasw deleted the enforce_gradle_dependency_verification branch February 6, 2023 12:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants