Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check if wrapper matches the version specified in properties #282

Open
hfhbd opened this issue Aug 20, 2023 · 1 comment
Open

Check if wrapper matches the version specified in properties #282

hfhbd opened this issue Aug 20, 2023 · 1 comment
Labels
enhancement New feature or request in:wrapper-validation

Comments

@hfhbd
Copy link
Contributor

hfhbd commented Aug 20, 2023

You could update the Gradle version in the properties but forget to update the wrapper too.

This could also be a (theoretically) security risk by checking-in a valid but outdated wrapper which could have vulnerabilities.
mikepenz referenced this issue in mikepenz/wrapper-validation-action Aug 24, 2023
@mikepenz
- introduce new configuration to enable checksum validation only for …
c7f33a0 
…detected versions

  - version is detected from `gradle-wrapper.properties`
  - checksum is only fetched for these particular versions
- FIX gradle#96

While not specifically targeted, this also
- RESOLVES https://github.com/gradle/wrapper-validation-action/issues/142

May enable https://github.com/gradle/wrapper-validation-action/issues/35
@mikepenz mikepenz mentioned this issue Aug 24, 2023
Open
@Marcono1234
Copy link
Contributor

Marcono1234 commented Nov 7, 2023
edited
Loading

I assume this also has another security advantage: Currently the checksum is allowed to match any of the checksums of the 200+1 versions. This likely makes it easier (but it is still difficult) to create a malicious JAR which has a hash collision with any of the 200+ possible checksums, than causing a hash collision with a single checksum.

Footnotes

  1. Maybe that number is too high, since multiple versions might use the same wrapper version.

mikepenz referenced this issue in mikepenz/wrapper-validation-action Jan 25, 2024
@mikepenz
- introduce new configuration to enable checksum validation only for …
1f0a388 
…detected versions

  - version is detected from `gradle-wrapper.properties`
  - checksum is only fetched for these particular versions
- FIX gradle#96

While not specifically targeted, this also
- RESOLVES https://github.com/gradle/wrapper-validation-action/issues/142

May enable https://github.com/gradle/wrapper-validation-action/issues/35
mikepenz referenced this issue in mikepenz/wrapper-validation-action Jan 30, 2024
@mikepenz
- introduce new configuration to enable checksum validation only for …
f8ea516 
…detected versions

  - version is detected from `gradle-wrapper.properties`
  - checksum is only fetched for these particular versions
- FIX gradle#96

While not specifically targeted, this also
- RESOLVES https://github.com/gradle/wrapper-validation-action/issues/142

May enable https://github.com/gradle/wrapper-validation-action/issues/35
mikepenz referenced this issue in mikepenz/wrapper-validation-action Jan 30, 2024
@mikepenz
- introduce new configuration to enable checksum validation only for …
54f0bdf 
…detected versions

  - version is detected from `gradle-wrapper.properties`
  - checksum is only fetched for these particular versions
- FIX gradle#96

While not specifically targeted, this also
- RESOLVES https://github.com/gradle/wrapper-validation-action/issues/142

May enable https://github.com/gradle/wrapper-validation-action/issues/35
@bigdaz bigdaz transferred this issue from gradle/wrapper-validation-action Jul 12, 2024
@bigdaz bigdaz added enhancement New feature or request in:wrapper-validation labels Jul 12, 2024
@bigdaz bigdaz assigned bigdaz and unassigned bigdaz Jul 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request in:wrapper-validation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@bigdaz @Marcono1234 @hfhbd and others