xapi-project / xen-api / 15421339685
80%

DEFAULT BRANCH: master
Ran
Jobs 1
Files 33
Run time 501min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 77.719%. Remained the same
15421339685

push

github

web-flow 
fix Failure to use HTTPS or SFTP URL in Maven artifact upload/download xen-api() (#6429)

https://github.com/xapi-project/xen-api/blob/c5efca2df/ocaml/sdk-gen/java/autogen/xen-api/pom.xml#L74-L78

fix the problem, need to update the repository URLs in the
`distributionManagement` section of the `pom.xml` file to use HTTPS
instead of HTTP. This change will ensure that artifacts are downloaded
and uploaded over a secure protocol, mitigating the risk of MITM
attacks.

Specifically, we will:
1. Change the URL for the `repository` element from
`http://oss.sonatype.org/content/repositories/java-net-releases/` to
`https://oss.sonatype.org/content/repositories/java-net-releases/`.
2. Change the URL for the `snapshotRepository` element from
`http://oss.sonatype.org/content/repositories/java-net-snapshots/` to
`https://oss.sonatype.org/content/repositories/java-net-snapshots/`.

Using an insecure protocol like HTTP or FTP to download your
dependencies leaves your Maven build vulnerable to a [Man in the Middle
(MITM)](https://en.wikipedia.org/wiki/Man-in-the-middle_attack). This
can allow attackers to inject malicious code into the artifacts that you
are resolving and infect build artifacts that are being produced. This
can be used by attackers to perform a [Supply chain
attack](https://en.wikipedia.org/wiki/Supply_chain_attack) against your
project's users.

## POC
These show of locations in Maven POM files where artifact repository
upload/download is configured. The first shows the use of HTTP, the
second shows the use of HTTPS.
```xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">

    <modelVersion>4.0.0</modelVersion>

    <groupId>com.semmle</groupId>
    <artifactId>parent</artifactId>
    <version>1.0</version>
    ... (continued)

3359 of 4322 relevant lines covered (77.72%)

0.78 hits per line

Jobs
ID Job ID Ran Files Coverage
1 python3.11 - 15421339685.1 33
77.72
 GitHub Action Run
Source Files on build 15421339685