CVE-2022-23630 Gradle is a build automation tool with support for multi-language development. It may accept dependencies that fail the build as an untrusted external artifact.
the `external or `untrusted repositories, the new behavior is the same as it was in Gradle 7.3. For those users, dependency validation will now be performed at least once. If an artifact is resolved from an untrusted repository or from an external dependency, it will be validated at least once to ensure that it is valid.
What is a trusted repository?
A trusted repository is a repository that Gradle trusts implicitly. For example, when using the buildSrc plugin, gradle.buildSrc trust the repositories that are configured in buildSrc's settings.
If you want your dependency to be validated only once, and Gradle does not know whether it is from a trusted or untrusted repository, then you must use an external or untrusted repository.
New Features and Improvements
Gradle now offers a new behavior for the validation of artifacts from external or untrusted repositories. If an artifact is resolved from an external dependency, it will be validated at least once to ensure that it is valid.
What is a dependency validator?
In Gradle, dependencies are typically resolved through a repository (e.g. JCenter or Maven Central) but you can also use an external or untrusted repository. A dependency validator is something that will go and execute a command on the project classpath to ensure that your dependencies are valid. In this case, we're using Gradle's dependency validator to make sure all of the required dependencies are present in the build classpath before running any tasks.
What is the difference between `defaultDependencies and `dependencies?
A defaultDependency is any dependency that has not been specified as a dependency for a particular project. Dependencies are dependencies that have been specifically declared for a project.
Dependency Versioning
Dependency versioning is the practice of specifying the version of a dependency that should be used. Gradle supports two types of dependency versions which are defined as follows:
- `internal` dependencies: these usually represent a library or framework that is packaged with the project itself, but could also be provided by a plugin. For example, if you have a project that uses the Play Framework, your `internal` dependencies would be Play Framework, and any other dependencies required to use Play.
- `external` dependencies: these are libraries or frameworks that are not packaged with the project but can be pulled in via an external source such as Maven Central, JCenter, Ivy Plant Filesystem (Ivy), etc. For example, if your project has a dependency on Logback and you want to pull it in from Maven Central via an external repository (such as mavenCentral()), then your external dependency would be logback-log4j-1.2.17 .
Gradle provides two ways for specifying external dependencies: `versioned` and `unversioned`. The `versioned` syntax specifies the version of an external artifact in order to ensure that it will get resolved correctly when Gradle resolves it for use by your build script. For example, if you need to pull in log4j because your project uses log4j internally and needs to resolve it from Maven Central at runtime then your package descriptor would look like this:
External
Timeline
Published on: 02/10/2022 20:15:00 UTC
Last modified on: 02/17/2022 17:41:00 UTC