Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Run android-validate-gradle-wrapper on every matching push #6863

Merged
merged 1 commit into from
Sep 25, 2024

Conversation

faern
Copy link
Member

@faern faern commented Sep 25, 2024

This prevents the following possible ways of commiting a malicious gradle-wrapper.jar to the repository:

  • Commiting to another path than the one previously specified
  • Pushing to main without going through a PR

Please see these three comments for context: ossf/scorecard#4097 (comment)

I have not yet verified if scorecard will treat this new setup as a warning or not. But my impression was that the scorecard contributor in the comments sort of agreed that their verifier should be updated anyway.


This change is Reviewable

@faern faern requested a review from albin-mullvad September 25, 2024 07:18
@faern faern added the Android Issues related to Android label Sep 25, 2024
Copy link
Collaborator

@albin-mullvad albin-mullvad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:lgtm:

Reviewed 1 of 1 files at r1, all commit messages.
Reviewable status: :shipit: complete! all files reviewed, all discussions resolved

This prevents the following possible ways of commiting a malicious
gradle-wrapper.jar to the repository:
* Commiting to another path than the one previously specified
* Pushing to `main` without going through a PR
@faern faern force-pushed the improve-android-gradle-wrapper-verifier branch from 5578a7b to 158017a Compare September 25, 2024 11:02
@faern faern merged commit bea8e15 into main Sep 25, 2024
7 checks passed
@faern faern deleted the improve-android-gradle-wrapper-verifier branch September 25, 2024 11:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Android Issues related to Android
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants