Access to search.maven.org is in clear HTTP #1325
Comments
|
After looking into it, I see that it defaults to http (in CentralSearch.java), and sets HTTPS only if it finds a https attribute. For a security tool - I find this strange. It should default to HTTPS and use HTTPS only for accessing maven. |
|
This code hasn't been touched in years - if memory serves, at that time not all artifacts were served over HTTPS. However, that has since changed and the service no longer includes the flag indicating if the artifact could be served over HTTPS. As such, we can get rid of the check for the ability to use HTTPS and just default to secure. Thanks for pointing this out |
|
No problem :-) |
|
Ack - when I read the report I quickly pushed: aece99b I don't think a PR is needed... |
|
I was hoping this would be my contribution to a wonderful open source project. |
|
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Security issue:
When running (at least the command line scanner) for JAR files, it accesses most resources in HTTPS but for some reason it accesses search.maven.org/remotecontent?filepath= in clear.
This is because the MavenArtifact does this:
private static final String CENTRAL_CONTENT_URL = "//search.maven.org/remotecontent?filepath=";
As opposed to the solrsearch that is configured in the properties file:
analyzer.central.url=https://search.maven.org/solrsearch/select
The text was updated successfully, but these errors were encountered: