The more I’ve been thinking about it, the more I’m concerned that Gradle is actually vulnerable to the exact same kinds of attacks that node is currently going through. Largely because the worm is not just a supply chain attack but it’s a attack on the CI CD pipeline. The reason I say Gradle itself is vulnerable is because of how gradles plugins work. If you update a Gradle plug-in that’s been infected, you’re going to have exactly the same problem.
I do not actually think that Gradle plugins are signed either, not that that would necessarily help because a lot of people sign things now using the CI CD pipeline.
The only two things I can think that would help this problem in the Java community is… Post publish approval… while the Gradle team itself requires approval for first-time publishing, which helps if your pipeline gets infected it wouldn’t help. Now I’m not saying the Gradle team should review every single plugin published, but perhaps there should be a Send me an email and click the link to confirm the publication.
Another thought is that maybe we need to validate our jars in some way better. I’ve been thinking about seeing if there is a way for me to build a sha sum on my local computer of the jar that matches what CI builds and then perhaps throwing that into a signed annotated tag (But that sounds like a lot of work).