Skip to content

Gradle wrapper

Add more info about real world attacks that can be prevented by setting up gradlew properly. Here's a semi-real example of what the report looks like:

Gradle Wrapper @ v2.2.9

non-standard source gradle/wrapper/gradle-wrapper.properties uses non-standard source for downloading gradle: https://services.foo.org/distributions/gradle-5.6.4-bin.zip
ERROR: gradle/wrapper/gradle-wrapper.properties must use HTTPS in distributionUrl!
gradle vs wrapper version mismatchgradle/wrapper/gradle-wrapper.jar is gradle-6.6-milestone-2-wrapper.jar, but gradle/wrapper/gradle-wrapper.properties declares http://services.foo.org/distributions/gradle-5.6.4-bin.zip as the gradle version.

There is a gradle command for upgrading the wrapper:

./gradlew wrapper --gradle-version 5.6.4 \
  --gradle-distribution-sha256-sum 1f3067073041bc44554d0efe5d402a33bc3d3c93cc39ab684f308586d732a80d
These security measures can prevent real world attacks that are happening in the wild! See these blog posts for more info:
Edited by Hans-Christoph Steiner

Merge request reports