From 272b1d5d119621af4d11ed7e295143860a09cd6d Mon Sep 17 00:00:00 2001
From: Jonathan Leitschuh <jonathan.leitschuh@gmail.com>
Date: Tue, 15 Nov 2022 17:59:27 -0800
Subject: [PATCH] vuln-fix: Use HTTPS instead of HTTP to resolve dependencies
 (#4437)

This fixes a security vulnerability in this project where the `build.gradle`
files were configuring Gradle to resolve dependencies over HTTP instead of
HTTPS.

Weakness: CWE-829: Inclusion of Functionality from Untrusted Control Sphere
Severity: High
CVSSS: 8.1
Detection: OpenRewrite

Reported-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>

Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/9


Co-authored-by: Moderne <team@moderne.io>

Co-authored-by: Moderne <team@moderne.io>
---
 client-adapter/pom.xml | 6 +++---
 connector/pom.xml      | 6 +++---
 pom.xml                | 2 +-
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/client-adapter/pom.xml b/client-adapter/pom.xml
index 302ced94cf..463ea2e6a0 100644
--- a/client-adapter/pom.xml
+++ b/client-adapter/pom.xml
@@ -53,7 +53,7 @@
     <repositories>
         <repository>
             <id>central</id>
-            <url>http://repo1.maven.org/maven2</url>
+            <url>https://repo1.maven.org/maven2</url>
             <releases>
                 <enabled>true</enabled>
             </releases>
@@ -63,7 +63,7 @@
         </repository>
         <repository>
             <id>java.net</id>
-            <url>http://download.java.net/maven/2/</url>
+            <url>https://download.java.net/maven/2/</url>
             <releases>
                 <enabled>true</enabled>
             </releases>
@@ -73,7 +73,7 @@
         </repository>
         <repository>
             <id>aliyun</id>
-            <url>http://maven.aliyun.com/nexus/content/groups/public/</url>
+            <url>https://maven.aliyun.com/nexus/content/groups/public/</url>
             <releases>
                 <enabled>true</enabled>
             </releases>
diff --git a/connector/pom.xml b/connector/pom.xml
index 744c8e20fa..951da13d86 100644
--- a/connector/pom.xml
+++ b/connector/pom.xml
@@ -39,7 +39,7 @@
     <repositories>
         <repository>
             <id>central</id>
-            <url>http://repo1.maven.org/maven2</url>
+            <url>https://repo1.maven.org/maven2</url>
             <releases>
                 <enabled>true</enabled>
             </releases>
@@ -49,7 +49,7 @@
         </repository>
         <repository>
             <id>java.net</id>
-            <url>http://download.java.net/maven/2/</url>
+            <url>https://download.java.net/maven/2/</url>
             <releases>
                 <enabled>true</enabled>
             </releases>
@@ -59,7 +59,7 @@
         </repository>
         <repository>
             <id>aliyun</id>
-            <url>http://maven.aliyun.com/nexus/content/groups/public/</url>
+            <url>https://maven.aliyun.com/nexus/content/groups/public/</url>
             <releases>
                 <enabled>true</enabled>
             </releases>
diff --git a/pom.xml b/pom.xml
index 365de581c2..0416fcbc7c 100644
--- a/pom.xml
+++ b/pom.xml
@@ -58,7 +58,7 @@
         </repository>
         <repository>
             <id>java.net</id>
-            <url>http://download.java.net/maven/2/</url>
+            <url>https://download.java.net/maven/2/</url>
             <releases>
                 <enabled>true</enabled>
             </releases>