Security Policy violation Binary Artifacts

[allstar-app]

This issue was automatically created by Allstar.

Security Policy Violation
Project is out of compliance with Binary Artifacts policy: binaries present in source code

Rule Description
Binary Artifacts are an increased security risk in your repository. Binary artifacts cannot be reviewed, allowing the introduction of possibly obsolete or maliciously subverted executables. For more information see the Security Scorecards Documentation for Binary Artifacts.

Remediation Steps
To remediate, remove the generated executable artifacts from the repository.

Artifacts Found

• java/gradle/wrapper/gradle-wrapper.jar

Additional Information
This policy is drawn from Security Scorecards, which is a tool that scores a project's adherence to security best practices. You may wish to run a Scorecards scan directly on this repository for more details.

---

This issue will auto resolve when the policy is in compliance.

Issue created by Allstar. See https://github.com/ossf/allstar/ for more information. For questions specific to the repository, please contact the owner or maintainer.

[haydentherapper]

@loosebazooka it's not happy about the jar

[loosebazooka]

It should be okay if the gradle wrapper validation is applied

[loosebazooka]

Maybe cause it's a condition run. I'll make a separate workflow run

[loosebazooka]

Actually I think the logic checks if it has run successfully on the last commit or something. @ethanent maybe has the clarification, anyway lemme fix this up.

[ethan7g]

Actually I think the logic checks if it has run successfully on the last commit or something. @ethanent maybe has the clarification, anyway lemme fix this up.

That's right iirc! Hopefully that fix works, but it does seem a little odd because the check containing the Action seems to be passing currently. We'll see!

[allstar-app]

Updating issue after ping interval. See its status below.

---

Project is out of compliance with Binary Artifacts policy: binaries present in source code

Rule Description
Binary Artifacts are an increased security risk in your repository. Binary artifacts cannot be reviewed, allowing the introduction of possibly obsolete or maliciously subverted executables. For more information see the Security Scorecards Documentation for Binary Artifacts.

Remediation Steps
To remediate, remove the generated executable artifacts from the repository.

Artifacts Found

• java/gradle/wrapper/gradle-wrapper.jar

Additional Information
This policy is drawn from Security Scorecards, which is a tool that scores a project's adherence to security best practices. You may wish to run a Scorecards scan directly on this repository for more details.

[znewman01]

We'll see if that worked...super annoying. Thanks all

[allstar-app]

Reopening issue. See its status below.

---

Project is out of compliance with Binary Artifacts policy: binaries present in source code

Rule Description
Binary Artifacts are an increased security risk in your repository. Binary artifacts cannot be reviewed, allowing the introduction of possibly obsolete or maliciously subverted executables. For more information see the Security Scorecards Documentation for Binary Artifacts.

Remediation Steps
To remediate, remove the generated executable artifacts from the repository.

Artifacts Found

• java/gradle/wrapper/gradle-wrapper.jar

Additional Information
This policy is drawn from Security Scorecards, which is a tool that scores a project's adherence to security best practices. You may wish to run a Scorecards scan directly on this repository for more details.

[loosebazooka]

I hate you all star. Maybe matching of gradle wrapper is limited to the root? no that's not it.

It looks like the constraint checker only allows tagged versions? https://github.com/ossf/scorecard/blob/ef79b9487d8f8bf6fca7b0bafc8c55049d925403/checks/raw/binary_artifact.go#L248, hash matching versions are not checked in @ethanent ?

[loosebazooka]

It looks like the constraint checker only allows tagged versions? https://github.com/ossf/scorecard/blob/ef79b9487d8f8bf6fca7b0bafc8c55049d925403/checks/raw/binary_artifact.go#L248, hash matching versions are not converted and compare @ethanent ?

[ethan7g]

It looks like the constraint checker only allows tagged versions? https://github.com/ossf/scorecard/blob/ef79b9487d8f8bf6fca7b0bafc8c55049d925403/checks/raw/binary_artifact.go#L248, hash matching versions are not converted and compare @ethanent ?

Ah yeah, that seems right. I forgot that that limitation was present in the Scorecard implementation of Action comparison

[loosebazooka]

so, maybe I'll just use version for now and add a TODO to change this.

[cpanato]

i found this issue today 😓
we can add a exeption for this if this binary is needed for the test/ci or development workflow, please let me know then i can update the rules

@loosebazooka @znewman01

[znewman01]

@cpanato: If it's easy—I'm inclined to add an exception for now until ossf/scorecard#2477 is fixed, rather than unpin the gradle-wrapper-validation action, which feels like a step backwards. That'd be great

[loosebazooka]

I feel like I'd rather unpin the gradle/wrapper-validation-action. The exception in binary validation is for all binaries

[znewman01]

Ahh okay I see. Yeah everything kinda sucks here. I'll approve your PR

[cpanato]

will ping you both in the slack to conitnue and agree

[allstar-app]

Reopening issue. See its status below.

---

Project is out of compliance with Binary Artifacts policy: binaries present in source code

Rule Description
Binary Artifacts are an increased security risk in your repository. Binary artifacts cannot be reviewed, allowing the introduction of possibly obsolete or maliciously subverted executables. For more information see the Security Scorecards Documentation for Binary Artifacts.

Remediation Steps
To remediate, remove the generated executable artifacts from the repository.

Artifacts Found

• java/gradle/wrapper/gradle-wrapper.jar

Additional Information
This policy is drawn from Security Scorecards, which is a tool that scores a project's adherence to security best practices. You may wish to run a Scorecards scan directly on this repository for more details.

[loosebazooka]

I think the wrapper validation script probably failed. weirdly not the case, this is a bit confusing

[allstar-app]

Updating issue after ping interval. See its status below.

---

Project is out of compliance with Binary Artifacts policy: binaries present in source code

Rule Description
Binary Artifacts are an increased security risk in your repository. Binary artifacts cannot be reviewed, allowing the introduction of possibly obsolete or maliciously subverted executables. For more information see the Security Scorecards Documentation for Binary Artifacts.

Remediation Steps
To remediate, remove the generated executable artifacts from the repository.

Artifacts Found

• java/gradle/wrapper/gradle-wrapper.jar

Additional Information
This policy is drawn from Security Scorecards, which is a tool that scores a project's adherence to security best practices. You may wish to run a Scorecards scan directly on this repository for more details.