Protecting Project Integrity

infrastructure_disco · January 25, 2023, 9:17am

Our recent security report shows that supply chain attacks targeting the build process through the Gradle Wrapper exist in the wild. This blog post explains how to protect your project or you, as a developer, against similar attacks.

This is a companion discussion topic for the original entry at https://blog.gradle.org/project-integrity

mirabilos · March 1, 2023, 7:36pm

You could always fix Bootstrap Gradle build using cmd-line scripts only · Issue #11816 · gradle/gradle · GitHub so people don’t have to check in a binary wrapper…

infrastructure_disco · March 1, 2023, 7:36pm

Vampire · March 1, 2023, 11:05pm

If it is so easy to fix, feel free to open a pull request that fixes it.
Besides that you can do similar attacks with cmd-line only scripts too.