• CodeQL query help documentation »
• CodeQL query help for Java and Kotlin »

Depending upon JCenter/Bintray as an artifact repository

ID: java/maven/dependency-upon-bintray
Kind: problem
Security severity: 6.5
Severity: error
Precision: very-high
Tags:
   - security
   - external/cwe/cwe-1104
Query suites:
   - java-code-scanning.qls
   - java-security-extended.qls
   - java-security-and-quality.qls

Click to see the query in the CodeQL repository

Bintray and JCenter are shutting down on February 1st, 2022. Relying upon repositories that are deprecated or scheduled to be shutdown can have unintended consequences; for example, artifacts being resolved from a different artifact server or a total failure of the CI build.

When artifact repositories are left unmaintained for a long period of time, vulnerabilities may emerge. Theoretically, this could allow attackers to inject malicious code into the artifacts that you are resolving and infect build artifacts that are being produced. This can be used by attackers to perform a supply chain attack against your project’s users.

Recommendation

Always use the canonical repository for resolving your dependencies.

Example

The following example shows locations in a Maven POM file where artifact repository upload/download is configured. The use of Bintray in any of these locations is not advised.

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">

    <modelVersion>4.0.0</modelVersion>

    <groupId>com.semmle</groupId>
    <artifactId>parent</artifactId>
    <version>1.0</version>
    <packaging>pom</packaging>

    <name>Bintray Usage</name>
    <description>An example of using bintray to download and upload dependencies</description>

    <distributionManagement>
        <repository>
            <id>jcenter</id>
            <name>JCenter</name>
            <!-- BAD! Don't use JCenter -->
            <url>https://jcenter.bintray.com</url>
        </repository>
        <snapshotRepository>
            <id>jcenter-snapshots</id>
            <name>JCenter</name>
            <!-- BAD! Don't use JCenter -->
            <url>https://jcenter.bintray.com</url>
        </snapshotRepository>
    </distributionManagement>
    <repositories>
        <repository>
            <id>jcenter</id>
            <name>JCenter</name>
            <!-- BAD! Don't use JCenter -->
            <url>https://jcenter.bintray.com</url>
        </repository>
    </repositories>
    <repositories>
        <repository>
            <id>jcenter</id>
            <name>JCenter</name>
            <!-- BAD! Don't use Bintray -->
            <url>https://dl.bintray.com/groovy/maven</url>
        </repository>
    </repositories>
    <pluginRepositories>
        <pluginRepository>
            <id>jcenter-plugins</id>
            <name>JCenter</name>
            <!-- BAD! Don't use JCenter -->
            <url>https://jcenter.bintray.com</url>
        </pluginRepository>
    </pluginRepositories>
</project>

References

• JFrog blog: Into the Sunset on May 1st: Bintray, JCenter, GoCenter, and ChartCenter

• Common Weakness Enumeration: CWE-1104.

• © GitHub, Inc.
• Terms
• Privacy