Merge pull request #12 from JLLeitschuh/chore/JLL/remove_company_note

Remove comment about problem being unique to open source
This commit is contained in:
Jonathan Leitschuh 2020-01-31 11:36:54 -05:00 committed by GitHub
commit 17df8817b6
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -24,8 +24,6 @@ Further compounding the issue is that maintainers are most often greeted in thes
A fairly simple social engineering supply chain attack against open source would be contribute a helpful “Updated to Gradle xxx” PR that contains malicious code hidden inside this binary JAR. A fairly simple social engineering supply chain attack against open source would be contribute a helpful “Updated to Gradle xxx” PR that contains malicious code hidden inside this binary JAR.
A malicious `gradle-wrapper.jar` could execute, download, or install arbitrary code while otherwise behaving like a completely normal `gradle-wrapper.jar`. A malicious `gradle-wrapper.jar` could execute, download, or install arbitrary code while otherwise behaving like a completely normal `gradle-wrapper.jar`.
This problem is unique to open source and doesnt normally impact companies with closed source and pre-vetted employees.
## Solution ## Solution
We have created a simple GitHub Action that can be applied to any GitHub repository. We have created a simple GitHub Action that can be applied to any GitHub repository.