From a9aa64454c17de17f2216cc08ab40bd1b7914163 Mon Sep 17 00:00:00 2001 From: Jonathan Leitschuh Date: Thu, 21 Jul 2022 15:40:10 +0000 Subject: [PATCH] vuln-fix: Use HTTPS instead of HTTP to resolve dependencies This fixes a security vulnerability in this project where the `build.gradle` files were configuring Gradle to resolve dependencies over HTTP instead of HTTPS. Weakness: CWE-829: Inclusion of Functionality from Untrusted Control Sphere Severity: High CVSSS: 8.1 Detection: OpenRewrite Reported-by: Jonathan Leitschuh Signed-off-by: Jonathan Leitschuh Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/9 Co-authored-by: Moderne --- build.gradle | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/build.gradle b/build.gradle index ffb65f7..1a688b0 100644 --- a/build.gradle +++ b/build.gradle @@ -3,7 +3,7 @@ buildscript { jcenter() mavenLocal() maven { - url 'http://repo.jenkins-ci.org/releases/' + url 'https://repo.jenkins-ci.org/releases/' } maven { url 'https://plugins.gradle.org/m2/' @@ -132,4 +132,4 @@ pluginBundle { test { ignoreFailures = true -} \ No newline at end of file +}