Skip to content
This repository has been archived by the owner on Feb 20, 2023. It is now read-only.

Restrict which dependencies can come from which repositories #9644

Closed
mcomella opened this issue Apr 2, 2020 · 1 comment
Closed

Restrict which dependencies can come from which repositories #9644

mcomella opened this issue Apr 2, 2020 · 1 comment
Assignees
@mcomella
Labels
eng:automation Build automation, Continuous integration, .. eng:build Build system, gradle, configuration eng:health Improve code health eng:qa:not-needed Added by QA to issues that cannot be tested needs:triage Issue needs triage

Comments

@mcomella
Copy link
Contributor

mcomella commented Apr 2, 2020
edited by data-sync-user

Description copied from FFTV mozilla-mobile/firefox-tv#2373:

Vision statement / What / Requirements

In our current dependency configuration, there's a security risk. We request dependencies that are only available from our custom Mozilla repository. However, if a malicious user in another repository uploads an artifact with the same name or a similar name (e.g. we typo), we could end up using a malicious artifact.

Gradle recently introduced a feature to allow you to match dependencies to repositories: we should leverage that feature to fix this risk and improve performance.

Impact

Our application and developer's machines will be less likely to run untrusted & unexpected code.

We can implement the solution like FFTV:
https://github.com/mozilla-mobile/firefox-tv/blob/62a2fa680c49beae271b55981d7afecc67d2aa21/build.gradle#L89-L118

┆Issue is synchronized with this Jira Task
@mcomella mcomella self-assigned this Apr 2, 2020
@github-actions github-actions bot added the needs:triage Issue needs triage label Apr 2, 2020
mcomella added a commit to mcomella/fenix that referenced this issue Apr 3, 2020
@mcomella
For mozilla-mobile#9644: remove unnecessary leanplum maven repository.
7250c75 
The docs say it is [1] "only needed for Android SDK versions below 4.3.0".
That is API 18 and our min SDK is 21.

[1]: https://docs.leanplum.com/reference#android-setup
mcomella added a commit to mcomella/fenix that referenced this issue Apr 3, 2020
@mcomella
For mozilla-mobile#9644: move buildscript block from :app to root pro…
50158c8 
…ject.

This will reduce the amount of duplication we need in specifying
restricted dependencies and centralize repository definitions. Since
we're a one project app, it shouldn't have a significant impact on
performance.
mcomella added a commit to mcomella/fenix that referenced this issue Apr 3, 2020
@mcomella
For mozilla-mobile#9644: restrict dependencies following FFTV config.
1392639 
However, there is a resolution error to be fixed in the next commit.

This is verbatim from FFTV except I removed the no-op "improve security
if code is refactored incorrectly" lines: these lines rarely changed and
I'm not that concerned. It might be better to simplify the
configuration.

Source:
  https://github.com/mozilla-mobile/firefox-tv/blob/62a2fa680c49beae271b55981d7afecc67d2aa21/buildSrc/src/main/java/org/mozilla/gradle/Dependencies.kt#L7
  https://github.com/mozilla-mobile/firefox-tv/blob/62a2fa680c49beae271b55981d7afecc67d2aa21/build.gradle#L31
mcomella added a commit to mcomella/fenix that referenced this issue Apr 3, 2020
@mcomella
For mozilla-mobile#9644: restrict firebase deps to google repo.
c94761b 
This fixes the resolution error from the previous PR.
@kbrosnan kbrosnan added eng:automation Build automation, Continuous integration, .. eng:build Build system, gradle, configuration eng:health Improve code health labels Apr 11, 2020
boek pushed a commit that referenced this issue Apr 15, 2020
@mcomella
For #9644: restrict deps to specific repositories (#9649)
f0464b9 
* For #9644: remove unnecessary leanplum maven repository.

The docs say it is [1] "only needed for Android SDK versions below 4.3.0".
That is API 18 and our min SDK is 21.

[1]: https://docs.leanplum.com/reference#android-setup

* For #9644: move buildscript block from :app to root project.

This will reduce the amount of duplication we need in specifying
restricted dependencies and centralize repository definitions. Since
we're a one project app, it shouldn't have a significant impact on
performance.

* For #9644: restrict dependencies following FFTV config.

However, there is a resolution error to be fixed in the next commit.

This is verbatim from FFTV except I removed the no-op "improve security
if code is refactored incorrectly" lines: these lines rarely changed and
I'm not that concerned. It might be better to simplify the
configuration.

Source:
  https://github.com/mozilla-mobile/firefox-tv/blob/62a2fa680c49beae271b55981d7afecc67d2aa21/buildSrc/src/main/java/org/mozilla/gradle/Dependencies.kt#L7
  https://github.com/mozilla-mobile/firefox-tv/blob/62a2fa680c49beae271b55981d7afecc67d2aa21/build.gradle#L31

* For #9644: restrict firebase deps to google repo.

This fixes the resolution error from the previous PR.
@mcomella
Copy link
Contributor Author

Addressed with #9649

@mcomella mcomella added the eng:qa:not-needed Added by QA to issues that cannot be tested label Apr 23, 2020
@liuche liuche mentioned this issue Apr 28, 2020
Closed
32 tasks
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@mcomella mcomella

Labels
eng:automation Build automation, Continuous integration, .. eng:build Build system, gradle, configuration eng:health Improve code health eng:qa:not-needed Added by QA to issues that cannot be tested needs:triage Issue needs triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kbrosnan @mcomella