如何执行严格的Maven依赖策略(依赖链攻击) [英] How to enforce a strict Maven dependency policy (dependency chain attack)

问题描述

我想执行一个严格的Maven依赖策略，该策略超出了基本的checksumPolicy=fail方法.

I would like to enforce a strict Maven dependency policy which goes beyond the basic checksumPolicy=fail approach.

这是尝试提供针对仍具有有效摘要值的修改后的发布依赖项的保护，也称为依赖项链攻击".

This is an attempt to provide protection against a modified release dependency which still has a valid digest value also known as a "dependency chain attack".

这种情况可能是由以下情况引起的:

This situation could arise from the following scenarios:

• 依赖关系已更新，但是作者尚未更新版本号，并设法覆盖了较早的版本(或他们的回购帐户已被破坏)
• 中间人攻击到位(进行实时重写/散列)
• 存储库本身已被破坏

与其他开发人员的讨论中，一种解决上述问题的方法是在pom.xml中包含已知MD5/SHA摘要的列表，并让Maven验证下载的依赖项是否具有相同的摘要.这样可以确保只要源代码存储库保持安全，就可以检测到任何包含的已被破坏的依赖项.

In discussions with other developers one approach to combat the above is to have a list of known MD5/SHA digests in the pom.xml and have Maven verify that the downloaded dependency has the same digest. This ensures that so long as the source code repository remains secure, any included dependencies that have been compromised will be detected.

因此，我的问题是双重的:

Thus my question is twofold:

1. 有没有其他方法可以更有效地工作?
2. 是否有任何现有的实现/插件可以完成这项工作?

推荐答案

如果有人亲自解决此问题，我会创建一个

If anyone is wrestling with this issue themselves I've created a Maven Enforcer Plugin Rule that deals with it. You can specify a list of artifact URNs that include the expected SHA1 hash value and have the enforcer verify that this is indeed what is being used in the build.

它可以通过MIT许可下的Maven Central获得，其源代码在GitHub上位于: https://github.com/gary- rowe/BitcoinjEnforcerRules

It is available through Maven Central under MIT license, with source code in GitHub here: https://github.com/gary-rowe/BitcoinjEnforcerRules

尽管该项目表明它是针对Bitcoinj库的，但它实际上是一个通用解决方案，可以包含在任何对安全性要求很高的构建过程中.它还会扫描您现有的项目，并在自动为您建立白名单的同时识别任何问题区域.

While the project indicates that it is for the Bitcoinj library, it is actually a general purpose solution which could be included in any security conscious build process. It will also scan your existing project and identify any problem area while it automatically builds the whitelist for you.

下面是您在项目中使用该配置所需要的示例.

Below is an example of the configuration you'd require in your project to use it.

<build>
  <plugins>
    ...
      <!-- Use the Enforcer to verify build integrity -->
      <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-enforcer-plugin</artifactId>
        <version>1.2</version>
        <executions>
          <execution>
            <id>enforce</id>
            <phase>verify</phase>
            <goals>
              <goal>enforce</goal>
            </goals>
            <configuration>
              <rules>
                <digestRule implementation="uk.co.froot.maven.enforcer.DigestRule">

                  <!-- Create a snapshot to build the list of URNs below -->
                  <buildSnapshot>true</buildSnapshot>

                  <!-- List of required hashes -->
                  <!-- Format is URN of groupId:artifactId:version:type:classifier:scope:hash -->
                  <!-- classifier is "null" if not present -->
                  <urns>

                    <urn>antlr:antlr:2.7.7:jar:null:compile:83cd2cd674a217ade95a4bb83a8a14f351f48bd0</urn>
                    <urn>dom4j:dom4j:1.6.1:jar:null:compile:5d3ccc056b6f056dbf0dddfdf43894b9065a8f94</urn>
                    <urn>org.bouncycastle:bcprov-jdk15:1.46:jar:null:compile:d726ceb2dcc711ef066cc639c12d856128ea1ef1</urn>
                    <urn>org.hibernate.common:hibernate-commons-annotations:4.0.1.Final:jar:null:compile:78bcf608d997d0529be2f4f781fdc89e801c9e88</urn>
                    <urn>org.hibernate.javax.persistence:hibernate-jpa-2.0-api:1.0.1.Final:jar:null:compile:3306a165afa81938fc3d8a0948e891de9f6b192b</urn>
                    <urn>org.hibernate:hibernate-core:4.1.8.Final:jar:null:compile:82b420eaf9f34f94ed5295454b068e62a9a58320</urn>
                    <urn>org.hibernate:hibernate-entitymanager:4.1.8.Final:jar:null:compile:70a29cc959862b975647f9a03145274afb15fc3a</urn>
                    <urn>org.javassist:javassist:3.15.0-GA:jar:null:compile:79907309ca4bb4e5e51d4086cc4179b2611358d7</urn>
                    <urn>org.jboss.logging:jboss-logging:3.1.0.GA:jar:null:compile:c71f2856e7b60efe485db39b37a31811e6c84365</urn>
                    <urn>org.jboss.spec.javax.transaction:jboss-transaction-api_1.1_spec:1.0.0.Final:jar:null:compile:2ab6236535e085d86f37fd97ddfdd35c88c1a419</urn>

                    <!-- A check for the rules themselves -->
                    <urn>uk.co.froot.maven.enforcer:digest-enforcer-rules:0.0.1:jar:null:runtime:16a9e04f3fe4bb143c42782d07d5faf65b32106f</urn>

                  </urns>

                </digestRule>
              </rules>
            </configuration>
          </execution>
        </executions>

        <!-- Ensure we download the enforcer rules -->
        <dependencies>
          <dependency>
            <groupId>uk.co.froot.maven.enforcer</groupId>
            <artifactId>digest-enforcer-rules</artifactId>
            <version>0.0.1</version>
          </dependency>
        </dependencies>

      </plugin>
    ...
  </plugins>
</build>

这篇关于如何执行严格的Maven依赖策略(依赖链攻击)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！