Impact
Here are some action items that the Smooks maintainers need to implement for v2 to close identified Maven supply chain attack vectors:
-
Publish the public key for verifying Smooks artifacts on SECURITY.md and contribute the PGP fingerprint to PGP keys map. As things stand, there's no way to verify that the Smooks maintainers really uploaded the artifacts to Maven Central. If an attacker gains control of Smooks's Maven distribution (e.g., because of domain hijacking), they can easily generate a PPK, sign a malicious Smooks artifact with the private key, and push the public key to the key server. The Smooks developer can't know that the public key was generated by the attacker.
-
Run PGPVerify Maven Plugin together with a KeysMap configuration on each CI build of Smooks to guard against dependency hijacking. It might not be possible to verify all dependencies since some dependencies might be unsigned. In such cases, we should get in touch with the dependency maintainers and nudge them to sign their artifacts or drop the dependency from the project.
Smooks 1 is a bigger headache because it's published under the Maven groupId org.milyn and the milyn.org domain is up for sale according to GoDaddy. The developer shouldn't trust any new Smooks artifacts published under the groupId org.milyn and shouldn't use version ranges to pull down Smooks 1 dependencies. However, I got in touch with Sonatype and here is what they had to say:
Namespaces that were identified in the MavenGate blog post have had all access to publish removed, pending original authors proving identity. Nothing new can be published until someone goes through that process.
org.milyn is is among the list of identified namespaces so we are covered.
References
SanojPunchihewa Reporter
Impact
Here are some action items that the Smooks maintainers need to implement for v2 to close identified Maven supply chain attack vectors:
Publish the public key for verifying Smooks artifacts on SECURITY.md and contribute the PGP fingerprint to PGP keys map. As things stand, there's no way to verify that the Smooks maintainers really uploaded the artifacts to Maven Central. If an attacker gains control of Smooks's Maven distribution (e.g., because of domain hijacking), they can easily generate a PPK, sign a malicious Smooks artifact with the private key, and push the public key to the key server. The Smooks developer can't know that the public key was generated by the attacker.
Run PGPVerify Maven Plugin together with a KeysMap configuration on each CI build of Smooks to guard against dependency hijacking. It might not be possible to verify all dependencies since some dependencies might be unsigned. In such cases, we should get in touch with the dependency maintainers and nudge them to sign their artifacts or drop the dependency from the project.
Smooks 1 is a bigger headache because it's published under the Maven groupId org.milyn and the milyn.org domain is up for sale according to GoDaddy. The developer shouldn't trust any new Smooks artifacts published under the groupId org.milyn and shouldn't use version ranges to pull down Smooks 1 dependencies. However, I got in touch with Sonatype and here is what they had to say:
org.milyn is is among the list of identified namespaces so we are covered.
References