This repository has been archived by the owner on Feb 20, 2023. It is now read-only.
Restrict which dependencies can come from which repositories #9644
Labels
eng:automation
Build automation, Continuous integration, ..
eng:build
Build system, gradle, configuration
eng:health
Improve code health
eng:qa:not-needed
Added by QA to issues that cannot be tested
needs:triage
Issue needs triage
Description copied from FFTV mozilla-mobile/firefox-tv#2373:
Vision statement / What / Requirements
In our current dependency configuration, there's a security risk. We request dependencies that are only available from our custom Mozilla repository. However, if a malicious user in another repository uploads an artifact with the same name or a similar name (e.g. we typo), we could end up using a malicious artifact.
Gradle recently introduced a feature to allow you to match dependencies to repositories: we should leverage that feature to fix this risk and improve performance.
Impact
Our application and developer's machines will be less likely to run untrusted & unexpected code.
We can implement the solution like FFTV:
https://github.com/mozilla-mobile/firefox-tv/blob/62a2fa680c49beae271b55981d7afecc67d2aa21/build.gradle#L89-L118
┆Issue is synchronized with this Jira Task
The text was updated successfully, but these errors were encountered: