Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verify distributionUrl and distributionSha256Sum in gradle-wrapper.properties against the official list #286

Open
vlsi opened this issue Mar 17, 2021 · 5 comments
Open

Verify distributionUrl and distributionSha256Sum in gradle-wrapper.properties against the official list #286

vlsi opened this issue Mar 17, 2021 · 5 comments
Labels
enhancement New feature or request in:wrapper-validation

Comments

@vlsi
Copy link

vlsi commented Mar 17, 2021
edited
Loading

Validate gradle/wrapper/gradle-wrapper.properties:

  1. Assume distributionUrl points to a canonical Gradle location. If the link is not listed in https://services.gradle.org/versions/all, then fail the validation.
  2. For those who want a customized Gradle distribution, add skip-distribution-validation: true|false configuration option (default: false)
  3. Enforce the valid distributionSha256Sum for the official distributions
@vlsi vlsi mentioned this issue Mar 17, 2021
Open
@JLLeitschuh
Copy link
Contributor

I could get behind this feature. @eskatos what are your thoughts?

@eskatos
Copy link
Member

eskatos commented Mar 19, 2021

This indeed sounds like a good idea

@JLLeitschuh
Copy link
Contributor

@vlsi would you be willing to contribute a PR?

@vlsi
Copy link
Author

vlsi commented Mar 19, 2021

I'm afraid it would take me a while (I'm not much into TypeScript)

@vlsi vlsi mentioned this issue May 13, 2021
Open
mikepenz referenced this issue in mikepenz/wrapper-validation-action Aug 24, 2023
@mikepenz
- introduce new configuration to enable checksum validation only for …
c7f33a0 
…detected versions

  - version is detected from `gradle-wrapper.properties`
  - checksum is only fetched for these particular versions
- FIX gradle#96

While not specifically targeted, this also
- RESOLVES https://github.com/gradle/wrapper-validation-action/issues/142

May enable https://github.com/gradle/wrapper-validation-action/issues/35
@mikepenz mikepenz mentioned this issue Aug 24, 2023
Open
mikepenz referenced this issue in mikepenz/wrapper-validation-action Jan 25, 2024
@mikepenz
- introduce new configuration to enable checksum validation only for …
1f0a388 
…detected versions

  - version is detected from `gradle-wrapper.properties`
  - checksum is only fetched for these particular versions
- FIX gradle#96

While not specifically targeted, this also
- RESOLVES https://github.com/gradle/wrapper-validation-action/issues/142

May enable https://github.com/gradle/wrapper-validation-action/issues/35
mikepenz referenced this issue in mikepenz/wrapper-validation-action Jan 30, 2024
@mikepenz
- introduce new configuration to enable checksum validation only for …
f8ea516 
…detected versions

  - version is detected from `gradle-wrapper.properties`
  - checksum is only fetched for these particular versions
- FIX gradle#96

While not specifically targeted, this also
- RESOLVES https://github.com/gradle/wrapper-validation-action/issues/142

May enable https://github.com/gradle/wrapper-validation-action/issues/35
mikepenz referenced this issue in mikepenz/wrapper-validation-action Jan 30, 2024
@mikepenz
- introduce new configuration to enable checksum validation only for …
54f0bdf 
…detected versions

  - version is detected from `gradle-wrapper.properties`
  - checksum is only fetched for these particular versions
- FIX gradle#96

While not specifically targeted, this also
- RESOLVES https://github.com/gradle/wrapper-validation-action/issues/142

May enable https://github.com/gradle/wrapper-validation-action/issues/35
@bigdaz bigdaz transferred this issue from gradle/wrapper-validation-action Jul 12, 2024
@bigdaz bigdaz added enhancement New feature or request in:wrapper-validation labels Jul 12, 2024
@bigdaz bigdaz assigned bigdaz and unassigned bigdaz Jul 19, 2024
@cloudshiftchris
Copy link

There appears to be an erroneous assumption that the distribution checksum is only for "official" Gradle distributions; it's merely a configurable value, alongside the also-configurable distribution URL that users can set to whatever is appropriate for them.

We're using custom Gradle distributions and configuring their checksum so downloads are validated. Changing the current behaviour would break these distributions and/or reduce the security.

Instead, perhaps check the distributionUrl and if its an "official" Gradle distribution then confirm that the checksum is also in the known/official list.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request in:wrapper-validation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@eskatos @bigdaz @vlsi @JLLeitschuh @cloudshiftchris