From c54ce9308039808969a0712edd3c6016b0df064f Mon Sep 17 00:00:00 2001 From: Jonathan Leitschuh Date: Mon, 3 Oct 2022 23:22:33 +0000 Subject: [PATCH] vuln-fix: Use HTTPS instead of HTTP to resolve dependencies This fixes a security vulnerability in this project where the `build.gradle` files were configuring Gradle to resolve dependencies over HTTP instead of HTTPS. Weakness: CWE-829: Inclusion of Functionality from Untrusted Control Sphere Severity: High CVSSS: 8.1 Detection: OpenRewrite Reported-by: Jonathan Leitschuh Signed-off-by: Jonathan Leitschuh Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/9 Co-authored-by: Moderne --- build.gradle | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/build.gradle b/build.gradle index 67c07bf..d488111 100644 --- a/build.gradle +++ b/build.gradle @@ -23,8 +23,8 @@ jenkinsPlugin { } repositories { - maven { url 'http://bits.netbeans.org/maven2' } - maven { url 'http://repo.jenkins-ci.org/releases/' } + maven { url 'https://bits.netbeans.org/maven2' } + maven { url 'https://repo.jenkins-ci.org/releases/' } jcenter() mavenCentral() }