Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check for suspicious gradle-wrapper.jar #1440

Merged
merged 1 commit into from
May 20, 2020
Merged

Check for suspicious gradle-wrapper.jar #1440

merged 1 commit into from
May 20, 2020

Conversation

snjeza
Copy link
Contributor

@snjeza snjeza commented May 10, 2020

Requires eclipse-jdtls/eclipse.jdt.ls#1434

Signed-off-by: Snjezana Peco snjezana.peco@redhat.com

@snjeza snjeza requested review from gorkem and fbricon May 10, 2020 16:56
@snjeza snjeza mentioned this pull request May 10, 2020
Merged
@snjeza snjeza changed the title [WIP] Check gradle-wrapper.jar Check gradle-wrapper.jar May 13, 2020
fbricon
fbricon requested changes May 18, 2020
View reviewed changes
README.md Outdated Show resolved Hide resolved
package.json Outdated Show resolved Hide resolved
package.json Outdated Show resolved Hide resolved
src/extension.ts Outdated Show resolved Hide resolved
src/extension.ts Outdated Show resolved Hide resolved
src/extension.ts Outdated Show resolved Hide resolved
src/settings.ts Outdated Show resolved Hide resolved
src/settings.ts Outdated
@@ -17,6 +17,9 @@ const changeItem = {
never: 'Never'
};

const allow = 'Allow';
const disallow = 'Disallow';
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

'Do not trust'

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed.

src/settings.ts Outdated Show resolved Hide resolved
src/settings.ts Show resolved Hide resolved
@snjeza snjeza force-pushed the gradlewrapper branch 5 times, most recently from 677d930 to 95e162a Compare May 19, 2020 17:27
fbricon
fbricon requested changes May 19, 2020
View reviewed changes
src/settings.ts Outdated Show resolved Hide resolved
src/settings.ts Outdated Show resolved Hide resolved
@snjeza
Check gradle-wrapper.jar
e39d92f 
Signed-off-by: Snjezana Peco <snjezana.peco@redhat.com>
@snjeza
Copy link
Contributor Author

snjeza commented May 19, 2020

@fbricon I have update the PR.

@fbricon fbricon changed the title Check gradle-wrapper.jar Check for suspicious gradle-wrapper.jar May 20, 2020
@fbricon fbricon added this to the Mid May 2020 milestone May 20, 2020
@fbricon fbricon merged commit 3ed3db7 into redhat-developer:master May 20, 2020
@fbricon
Copy link
Collaborator

fbricon commented May 20, 2020
edited

Before a Gradle wrapper is executed, its checksum is verified against the list of wrappers publicly released by the Gradle team. If the checksum doesn't match a known good checksum, a security warning is displayed (actually an error, so it stays visible):

Screen Shot 2020-05-20 at 11 29 20 PM

The link opens the corresponding wiki page.

If you trust the wrapper to be executed, the application settings.jon will be updated like:

"java.imports.gradle.wrapper.checksums": [
    {
        "sha256": "504b38a11c466aecb2f5c0b0d8ce0ed7ffa810bf70b9b7a599c570051be8fb4e",
        "allowed": true
    }
],

and the wrapper will be used.

If you don't trust it, "allowed":"false" will be stored.

The default Gradle version embedded in Buildship will be used to build your project until the wrapper is explicitly trusted.

@TheBlob42 TheBlob42 mentioned this pull request Jul 22, 2020
Closed
@milind-shakya-sp milind-shakya-sp mentioned this pull request Aug 3, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fbricon fbricon fbricon requested changes

@gorkem gorkem Awaiting requested review from gorkem

Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
Mid May 2020
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@snjeza @fbricon