Gradle wrapper
Add more info about real world attacks that can be prevented by setting up gradlew properly. Here's a semi-real example of what the report looks like:
v2.2.9
Gradle Wrapper @non-standard source
gradle/wrapper/gradle-wrapper.properties uses non-standard source for downloading gradle: https://services.foo.org/distributions/gradle-5.6.4-bin.zipERROR:
gradle/wrapper/gradle-wrapper.properties must use HTTPS in distributionUrl!gradle vs wrapper version mismatch
gradle/wrapper/gradle-wrapper.jar is gradle-6.6-milestone-2-wrapper.jar, but gradle/wrapper/gradle-wrapper.properties declares http://services.foo.org/distributions/gradle-5.6.4-bin.zip as the gradle version.There is a gradle command for upgrading the wrapper:
./gradlew wrapper --gradle-version 5.6.4 \
--gradle-distribution-sha256-sum 1f3067073041bc44554d0efe5d402a33bc3d3c93cc39ab684f308586d732a80d
Edited by Hans-Christoph Steiner