From 7d35241f69d602f8d26fec1c2a5361cc0b5759a4 Mon Sep 17 00:00:00 2001 From: Jonathan Leitschuh Date: Fri, 8 Jul 2022 18:44:21 +0000 Subject: [PATCH] vuln-fix: Use HTTPS instead of HTTP to resolve deps CVE-2021-26291 This fixes a security vulnerability in this project where the `pom.xml` files were configuring Maven to resolve dependencies over HTTP instead of HTTPS. Weakness: CWE-829: Inclusion of Functionality from Untrusted Control Sphere Severity: High CVSSS: 8.1 Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.maven.security.UseHttpsForRepositories) Reported-by: Jonathan Leitschuh Signed-off-by: Jonathan Leitschuh Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/8 Co-authored-by: Moderne --- pom.xml | 4 ++-- .../plugins/patch/windows-gitstyle.patch | 18 +++++++++--------- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/pom.xml b/pom.xml index eaced7f..73cdb55 100644 --- a/pom.xml +++ b/pom.xml @@ -25,14 +25,14 @@ repo.jenkins-ci.org - http://repo.jenkins-ci.org/public/ + https://repo.jenkins-ci.org/public/ repo.jenkins-ci.org - http://repo.jenkins-ci.org/public/ + https://repo.jenkins-ci.org/public/ diff --git a/src/test/resources/org/jenkinsci/plugins/patch/windows-gitstyle.patch b/src/test/resources/org/jenkinsci/plugins/patch/windows-gitstyle.patch index f02b473..59c8329 100644 --- a/src/test/resources/org/jenkinsci/plugins/patch/windows-gitstyle.patch +++ b/src/test/resources/org/jenkinsci/plugins/patch/windows-gitstyle.patch @@ -1,9 +1,9 @@ -diff --git some/Foo.txt another/Foo.txt -index 11111..22222 33333 ---- a/Foo.txt -+++ b/Foo.txt -@@ -1,3 +1,3 @@ bogus - aaa --bbb -+bbb2 - ccc +diff --git some/Foo.txt another/Foo.txt +index 11111..22222 33333 +--- a/Foo.txt ++++ b/Foo.txt +@@ -1,3 +1,3 @@ bogus + aaa +-bbb ++bbb2 + ccc