From e127d7800835ac006075bd96616f28bc12c5c3fb Mon Sep 17 00:00:00 2001 From: Jonathan Leitschuh Date: Sat, 16 Dec 2023 06:17:16 +0000 Subject: [PATCH] vuln-fix: Use HTTPS instead of HTTP to resolve deps CVE-2021-26291 This fixes a security vulnerability in this project where the `pom.xml` files were configuring Maven to resolve dependencies over HTTP instead of HTTPS. Weakness: CWE-829: Inclusion of Functionality from Untrusted Control Sphere Severity: High CVSS: 8.1 Detection: CodeQL & OpenRewrite (https://app.moderne.io/recipes/org.openrewrite.maven.security.UseHttpsForRepositories) Reported-by: Jonathan Leitschuh Signed-off-by: Jonathan Leitschuh Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/8 Detection: CodeQL (https://codeql.github.com/codeql-query-help/java/java-maven-non-https-url/) & OpenRewrite (https://app.moderne.io/recipes/org.openrewrite.maven.security.UseHttpsForRepositories) Reported-by: Jonathan Leitschuh Signed-off-by: Jonathan Leitschuh Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/8 Use this link to re-run the recipe: https://app.moderne.io/recipes/builder/IfHkrYfxx?organizationId=QWxsIEdpdEh1Yg%3D%3D Co-authored-by: Moderne --- batik/1.9.1.wso2v1/pom.xml | 2 +- bsf/3.0.0.wso2v4/pom.xml | 2 +- commons-io/2.11.0.wso2v1/pom.xml | 6 +++--- openjpa-all/3.0.0.wso2v1/pom.xml | 6 +++--- ua-parser/1.5.2.wso2v1/pom.xml | 2 +- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/batik/1.9.1.wso2v1/pom.xml b/batik/1.9.1.wso2v1/pom.xml index 60ef70ab3..7ff10dc0f 100644 --- a/batik/1.9.1.wso2v1/pom.xml +++ b/batik/1.9.1.wso2v1/pom.xml @@ -227,7 +227,7 @@ wso2-nexus WSO2 internal Repository - http://maven.wso2.org/nexus/content/groups/wso2-public/ + https://maven.wso2.org/nexus/content/groups/wso2-public/ true diff --git a/bsf/3.0.0.wso2v4/pom.xml b/bsf/3.0.0.wso2v4/pom.xml index 9ca465a6d..4794d8813 100644 --- a/bsf/3.0.0.wso2v4/pom.xml +++ b/bsf/3.0.0.wso2v4/pom.xml @@ -40,7 +40,7 @@ java.net - http://repo1.maven.org/maven2/ + https://repo1.maven.org/maven2/ diff --git a/commons-io/2.11.0.wso2v1/pom.xml b/commons-io/2.11.0.wso2v1/pom.xml index 8a45cbf3f..356b12c34 100644 --- a/commons-io/2.11.0.wso2v1/pom.xml +++ b/commons-io/2.11.0.wso2v1/pom.xml @@ -34,13 +34,13 @@ wso2.releases WSO2 internal Repository - http://maven.wso2.org/nexus/content/repositories/releases/ + https://maven.wso2.org/nexus/content/repositories/releases/ wso2.snapshots Apache Snapshot Repository - http://maven.wso2.org/nexus/content/repositories/snapshots/ + https://maven.wso2.org/nexus/content/repositories/snapshots/ @@ -48,7 +48,7 @@ wso2-nexus WSO2 internal Repository - http://maven.wso2.org/nexus/content/groups/wso2-public/ + https://maven.wso2.org/nexus/content/groups/wso2-public/ true daily diff --git a/openjpa-all/3.0.0.wso2v1/pom.xml b/openjpa-all/3.0.0.wso2v1/pom.xml index 1310708a7..ba92bebee 100644 --- a/openjpa-all/3.0.0.wso2v1/pom.xml +++ b/openjpa-all/3.0.0.wso2v1/pom.xml @@ -34,7 +34,7 @@ wso2-nexus WSO2 internal Repository - http://maven.wso2.org/nexus/content/groups/wso2-public/ + https://maven.wso2.org/nexus/content/groups/wso2-public/ true daily @@ -47,13 +47,13 @@ wso2.releases WSO2 internal Repository - http://maven.wso2.org/nexus/content/repositories/releases/ + https://maven.wso2.org/nexus/content/repositories/releases/ wso2.snapshots Apache Snapshot Repository - http://maven.wso2.org/nexus/content/repositories/snapshots/ + https://maven.wso2.org/nexus/content/repositories/snapshots/ diff --git a/ua-parser/1.5.2.wso2v1/pom.xml b/ua-parser/1.5.2.wso2v1/pom.xml index f65fafc3b..a05b7bbcd 100644 --- a/ua-parser/1.5.2.wso2v1/pom.xml +++ b/ua-parser/1.5.2.wso2v1/pom.xml @@ -34,7 +34,7 @@ maven-twttr Twitter Public Maven Repo - http://maven.twttr.com + https://maven.twttr.com