From d39c60192dafd26a19dfabee6f8e5df4db319736 Mon Sep 17 00:00:00 2001 From: Sterling Greene Date: Fri, 24 Jul 2020 13:48:47 -0400 Subject: [PATCH] Clarify reporting failures documentation --- README.md | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index cbe077b..1e7cfe5 100644 --- a/README.md +++ b/README.md @@ -92,17 +92,13 @@ From there, you can easily follow the rest of the prompts to create a Pull Reque If this GitHub action fails because a `gradle-wrapper.jar` doesn't match one of our published SHA-256 checksums, we highly recommend that you reach out to us at [security@gradle.com](mailto:security@gradle.com). +**Note:** `gradle-wrapper.jar` generated by Gradle 3.3 to 4.0 are not verifiable because those files were dynamically generated by Gradle in a non-reproducible way. It's not possible to verify the `gradle-wrapper.jar` for those versions are legitimate using a hash comparison. You should try to determine if the `gradle-wrapper.jar` was generated by one of these versions before running the build. + +If the Gradle version in `gradle-wrapper.properties` is out of this range, you may need to regenerate the `gradle-wrapper.jar` by running `./gradlew wrapper`. If you need to use a version of Gradle between 3.3 and 4.0, you can use a newer version of Gradle to generate the `gradle-wrapper.jar`. + If you're curious and want to explore what the differences are between the `gradle-wrapper.jar` in your possession and one of our valid release, you can compare them using this online utility: [DiffScope](https://try.diffoscope.org/). -Regardless of what you find, we still kindly request that you reach out to us and let us know about any issues you encountered. - - -**Note:** When _initially_ applying this action to your project, -if your `gradle-wrapper.jar` was generated by Gradle 3.3 to 4.0, the check will fail. -This is because these `gradle-wrapper.jar` versions were dynamically generated by Gradle in a non-reproducible manner. -As such, it's not possible to verify the `gradle-wrapper.jar` for those versions are legitimate using a hash comparison. -If the Gradle version in use is out of this range it is possible that your Wrapper JAR is out of sync. -To fix this run `./gradlew wrapper`. If the Gradle version in use is in the problematic range, you should consider upgrading. +Regardless of what you find, we still kindly request that you reach out to us and let us know. ## Resources