Plugin Portal Security CVE-2020-7599

Important update when publishing plugins to the Plugin Portal

A security vulnerability was reported to us on March 4th, 2020. This problem could allow an authorized person to overwrite plugin artifacts on the Plugin Portal if they had access to the build logs that published the plugin. After a thorough investigation, we found no artifacts were overwritten for a malicious purpose.

In response, we’ve published a new version of the com.gradle.plugin-publish plugin that contains an update to mitigate this security vulnerability.

Please upgrade com.gradle.plugin-publish plugin to version 0.11.0. Old versions of the com.gradle.plugin-publish plugin will no longer work. If you do not publish plugins to the Plugin Portal, you do not...

❯ Read more

Verifying Gradle Wrappers with GitHub Actions

Pull Request Status Check with new 'Validate Gradle Wrapper / Validation' successful status

We are proud to announce the release of the new Gradle Wrapper Validation GitHub Action.

Gradle Wrapper in Open Source

The gradle-wrapper.jar is a binary blob of executable code that is checked into nearly 2.8 Million GitHub Repositories.

Searching across GitHub you can find many pull requests (PRs) with helpful titles like ‘Update to Gradle xxx’. Many of these PRs are contributed by individuals outside of the organization maintaining the project.

Maintainers are grateful for these kinds of contributions as it takes an item off of their backlog. But there are security implications of accepting changes to the Gradle Wrapper...

❯ Read more

Decommissioning HTTP for Gradle Services

Starting in January 2020, Gradle services will only serve requests made with HTTPS. From that point on, all requests made with HTTP will be denied and any builds and artifact mirrors that use a Gradle URL with the non-secure HTTP protocol will fail.

If you are proxying our services through your own artifact servers like Artifactory or Nexus, you will need to ensure that you update your mirror configurations so they are using HTTPS instead of HTTP.

Gradle Services

This change will impact the following services.

Plugin Portal

By default, the Gradle build tool uses HTTPS when resolving plugins from the Plugin Portal. You should be unaffected if you do not declare a custom plugin repository.

If your organization...

❯ Read more