No description
Find a file
Paul Merlin 33646cf935 Rework output
Always display all known and unknown found wrapper jars
alongside their checksum.

The display string building was pushed down from the Github Action main
function, so it's easier to reuse and test it.

Signed-off-by: Paul Merlin <paul@gradle.com>
2020-01-11 15:35:09 +01:00
.github/workflows Add input to allow arbitrary checksums 2020-01-06 13:36:28 +01:00
__tests__ Rework output 2020-01-11 15:35:09 +01:00
dist Refine min-wrapper-count error message 2020-01-10 17:59:23 +01:00
src Rework output 2020-01-11 15:35:09 +01:00
.eslintignore Initial commit 2020-01-05 12:04:24 +01:00
.eslintrc.json Initial commit 2020-01-05 12:04:24 +01:00
.gitignore Ignore IDEA files 2020-01-11 14:14:31 +01:00
.prettierignore Initial commit 2020-01-05 12:04:24 +01:00
.prettierrc.json Initial commit 2020-01-05 12:04:24 +01:00
action.yml Add Action branding 2020-01-10 18:04:36 +01:00
CONTRIBUTING.md Add an explanation to the README 2020-01-10 16:07:03 +01:00
jest.config.js Simplify jest config 2020-01-06 13:26:44 +01:00
LICENSE Initial commit 2020-01-05 12:04:24 +01:00
package-lock.json Walk the dir tree instead of the git tree 2020-01-06 13:24:48 +01:00
package.json Walk the dir tree instead of the git tree 2020-01-06 13:24:48 +01:00
README.md Fix README 2020-01-10 18:05:42 +01:00
tsconfig.json Initial commit 2020-01-05 12:04:24 +01:00

gradle/wrapper-validation-action status

Gradle Wrapper Validation Action

This action validates the checksums of Gradle Wrapper JAR files present in the source tree and fails if unknown Gradle Wrapper JAR files are found.

The Gradle Wrapper Problem in Open Source

The gradle-wrapper.jar is a binary blob of executable code that is checked into nearly 2.8 Million GitHub Repositories.

Searching across GitHub you can find many pull requests (PRs) with helpful titles like 'Update to Gradle xxx'. Many of these PRs are contributed by individuals outside of the organization maintaining the project.

Many maintainers are incredibly grateful for these kinds of contributions as it takes an item off of their backlog. We assume that most maintainers do not consider the security implications of accepting the Gradle Wrapper binary from an external contributors. There is a certain amount of blind trust open source maintainers have. Further compounding the issue is that maintainers are most often greeted in these PRs with a diff to the gradle-wrapper.jar that looks like this.

Screen Shot 2020-01-07 at 12 26 07 PM

A fairly simple social engineering supply chain attack against open source would be contribute a helpful “Updated to Gradle xxx” PR that contains malicious code hidden inside this binary JAR. A malicious gradle-wrapper.jar could execute, download, or install arbitrary code while otherwise behaving like a completely normal gradle-wrapper.jar.

This problem is unique to open source and doesnt normally impact companies with closed source and pre-vetted employees.

Solution

We have created a simple GitHub Action that can be applied to any GitHub repository. This GitHub Action will do one simple task: verify that any and all gradle-wrapper.jar files in the repository match the SHA-256 checksums of any of our official releases.

If any are found that do not match the SHA-256 checksums of our official releases, the action will fail.

Usage

Simply add this action to your workflow after having checked out your source tree and before running any Gradle build:

uses: gradle/wrapper-validation-action@v1

Here's a sample complete workflow you can add to your repositories:

.github/workflows/gradle-wrapper-validation.yml

name: "Validate Gradle Wrapper"
on: [push]

jobs:
  validation:
    name: "Validation"
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: gradle/wrapper-validation-action@v1

Reporting Failures

If this GitHub action fails because a gradle-wrapper.jar doesn't match one of our published SHA-256 checksums, we highly recommend that you reach out to us at security@gradle.com.

If you're curious and want to explore what the differences are between the gradle-wrapper.jar in your possession and one of our valid release, you can compare them using this online utility: DiffScope. Regardless of what you find, we still kindly request that you reach out to us and let us know about any issues you encountered.