• Stars
    star
    252
  • Rank 155,299 (Top 4 %)
  • Language
  • License
    MIT License
  • Created over 4 years ago
  • Updated 15 days ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Gradle Wrapper Validation Action

gradle/wrapper-validation-action status

Gradle Wrapper Validation Action

This action validates the checksums of Gradle Wrapper JAR files present in the source tree and fails if unknown Gradle Wrapper JAR files are found.

The Gradle Wrapper Problem in Open Source

The gradle-wrapper.jar is a binary blob of executable code that is checked into nearly 2.8 Million GitHub Repositories.

Searching across GitHub you can find many pull requests (PRs) with helpful titles like 'Update to Gradle xxx'. Many of these PRs are contributed by individuals outside of the organization maintaining the project.

Many maintainers are incredibly grateful for these kinds of contributions as it takes an item off of their backlog. We assume that most maintainers do not consider the security implications of accepting the Gradle Wrapper binary from external contributors. There is a certain amount of blind trust open source maintainers have. Further compounding the issue is that maintainers are most often greeted in these PRs with a diff to the gradle-wrapper.jar that looks like this.

Image of a GitHub Diff of Gradle Wrapper displaying text 'Binary file not shown.'

A fairly simple social engineering supply chain attack against open source would be contribute a helpful “Updated to Gradle xxx” PR that contains malicious code hidden inside this binary JAR. A malicious gradle-wrapper.jar could execute, download, or install arbitrary code while otherwise behaving like a completely normal gradle-wrapper.jar.

Solution

We have created a simple GitHub Action that can be applied to any GitHub repository. This GitHub Action will do one simple task: verify that any and all gradle-wrapper.jar files in the repository match the SHA-256 checksums of any of our official releases.

If any are found that do not match the SHA-256 checksums of our official releases, the action will fail.

Additionally, the action will find and SHA-256 hash all homoglyph variants of files named gradle-wrapper.jar, for example a file named gradlе-wrapper.jar (which uses a Cyrillic е instead of e). The goal is to prevent homoglyph attacks which may be very difficult to spot in a GitHub diff. We created an example Homoglyph attack PR here.

Usage

Add to an existing Workflow

Simply add this action to your workflow after having checked out your source tree and before running any Gradle build:

uses: gradle/wrapper-validation-action@v1

Add a new dedicated Workflow

Here's a sample complete workflow you can add to your repositories:

.github/workflows/gradle-wrapper-validation.yml

name: "Validate Gradle Wrapper"
on: [push, pull_request]

jobs:
  validation:
    name: "Validation"
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: gradle/wrapper-validation-action@v1

Contributing to an external GitHub Repository

Since GitHub Actions are completely free for open source projects and are automatically enabled on almost all projects, adding this check to a project's build is as simple as contributing a PR. Enabling the check requires no overhead on behalf of the project maintainer beyond merging the action.

You can add this action to your favorite Gradle based project without checking out their source locally via the GitHub Web UI thanks to the 'Create new file' button.

GitHub 'Create new file' Button bar picture

Simply add a new file named .github/workflows/gradle-wrapper-validation.yml with the contents mentioned above.

We recommend the message commit contents of:

  • Title: Official Gradle Wrapper Validation Action
  • Body (at minimum): See: https://github.com/gradle/wrapper-validation-action

From there, you can easily follow the rest of the prompts to create a Pull Request against the project.

Reporting Failures

If this GitHub action fails because a gradle-wrapper.jar doesn't match one of our published SHA-256 checksums, we highly recommend that you reach out to us at [email protected].

Note: gradle-wrapper.jar generated by Gradle 3.3 to 4.0 are not verifiable because those files were dynamically generated by Gradle in a non-reproducible way. It's not possible to verify the gradle-wrapper.jar for those versions are legitimate using a hash comparison. You should try to determine if the gradle-wrapper.jar was generated by one of these versions before running the build.

If the Gradle version in gradle-wrapper.properties is out of this range, you may need to regenerate the gradle-wrapper.jar by running ./gradlew wrapper. If you need to use a version of Gradle between 3.3 and 4.0, you can use a newer version of Gradle to generate the gradle-wrapper.jar.

If you're curious and want to explore what the differences are between the gradle-wrapper.jar in your possession and one of our valid release, you can compare them using this online utility: diffoscope. Regardless of what you find, we still kindly request that you reach out to us and let us know.

Resources

To learn more about verifying the Gradle Wrapper JAR locally, see our guide on the topic.

More Repositories

1

gradle

Adaptable, fast automation for all
Groovy
15,973
star
2

kotlin-dsl-samples

Samples builds using the Gradle Kotlin DSL
Kotlin
3,705
star
3

gradle-profiler

A tool for gathering profiling and benchmarking information for Gradle builds
Java
1,279
star
4

gradle-completion

Gradle tab completion for bash and zsh
Shell
966
star
5

gradle-build-action

Execute your Gradle build and trigger dependency submission
645
star
6

android-cache-fix-gradle-plugin

Gradle plugin that fixes Android build caching problems.
Groovy
440
star
7

oreilly-gradle-book-examples

Java
249
star
8

test-retry-gradle-plugin

Gradle plugin to retry tests that have failed to mitigate test flakiness.
Groovy
199
star
9

native-samples

Samples of modern build automation for native languages with Gradle
Java
148
star
10

gradle-build-scan-quickstart

An example project to experience the Build Scan® service of Gradle Enterprise with Gradle builds.
Kotlin
132
star
11

native-platform

Java bindings for various native APIs
Java
111
star
12

foojay-toolchains

Java Toolchain Resolve Plugin based on the foojay DiscoAPI
Kotlin
95
star
13

gradle-native

The home of Gradle's support for natively compiled languages
91
star
14

build-tool-training-exercises

Exercises for live gradle.com/training sessions
Java
87
star
15

gradle-enterprise-build-validation-scripts

Executable scripts to assist in validating that your Gradle and Maven builds are in an optimal state in terms of maximizing work avoidance when using Develocity.
Shell
70
star
16

github-dependency-graph-gradle-plugin

Gradle Plugin for Extracting Dependency Information to send to GitHub
Groovy
69
star
17

develocity-build-config-samples

Code samples that demonstrate how to customize your Develocity build configuration using Gradle, Maven, Bazel or sbt
Java
62
star
18

actions

A collection of GitHub Actions to accelerate your Gradle Builds on GitHub
TypeScript
58
star
19

playframework

Gradle Play Support
Java
47
star
20

guides

The Gradle Guides at https://guides.gradle.org.
Java
47
star
21

gradle-site-plugin

Kotlin
42
star
22

wrapper-upgrade-gradle-plugin

Gradle plugin that detects and updates Gradle and Maven wrappers to the latest Gradle and Maven version.
Java
39
star
23

kotlin-dsl-docs

Generates Kotlin DSL API reference
Kotlin
37
star
24

build-tool-roadmap

Gradle Build Tool roadmap
35
star
25

common-custom-user-data-gradle-plugin

Gradle plugin that enhances published build scans by adding a set of tags, links and custom values that have proven to be useful for many projects building with Develocity.
Java
35
star
26

gradle-talks

A javascript based custom slide and build framework for presentations. Many of the Gradle engineers have been using this for their presentations. Those presentations are part of this repo and can be found in the talks directory.
Ruby
35
star
27

exemplar

Discover and verify code samples and services
Java
34
star
28

gradle2kts

Gradle Groovy to Gradle Kotlin conversion tool - discontinued spike
Kotlin
34
star
29

gradle-checksum

A Gradle plugin for creating checksums for files in your build.
Groovy
31
star
30

kotlin-dsl-conventions

Gradle Kotlin DSL conventional plugins
Kotlin
22
star
31

maven-build-scan-quickstart

An example project to experience the Build Scan® service of Develocity with Maven builds.
Java
20
star
32

bazel-comparison

20
star
33

declarative-gradle

Declarative Gradle is a project targeting better isolation of concern and expressing any build in a clear and understandable way
Java
18
star
34

develocity-oss-projects

18
star
35

performance-comparisons

A set of synthetic projects used to benchmark Gradle against other build tools
16
star
36

gradle-java-modules

A (former) place for experimenting with Java 9's module system. Gradle officially supports Java Modules since version 6.4
Java
16
star
37

cc-hackathon-2022

Configuration Cache Hackathon 2022
15
star
38

.github

Maintains all of the default policies for the Gradle organization
14
star
39

perf-enterprise-large

A large Java based build to use when benchmarking and profiling Gradle
Groovy
14
star
40

gradle-enterprise-export-api-samples

A repository of samples that demonstrate how to use the Gradle Enterprise Export API.
14
star
41

gradle-jdocbook

A Gradle plugin for jdocbook
Groovy
13
star
42

multi-project-composite-gradle-plugins-builds

Multi-project build using composite Gradle plugins
Kotlin
12
star
43

develocity-api-samples

A repository of samples that demonstrate how to use the Develocity API.
Java
12
star
44

webinar-getting-started-with-the-gradle-kotlin-dsl

Webinar - Getting Started with the Kotlin DSL
Kotlin
12
star
45

gradle-distributions

Repository for Gradle Build Tool distributions downloads
12
star
46

gcc2speedscope

Space usage analysis for the Gradle configuration cache via speedscope
Kotlin
12
star
47

speed-challenge

Instructions and overview for the Gradle and Maven Speed Challenge event
11
star
48

cucumber-companion

Maven & Gradle plugins providing convenient support for running Cucumber test directly from Maven/Gradle
Groovy
11
star
49

imaginate

Using the Kotlin language for production, test and build makes it easier for everyone to work with your software code base. Let’s go 100% Kotlin!
Kotlin
11
star
50

plugin-portal-requests

Gradle Plugin Portal issues and requests.
11
star
51

continuous-delivery-jump-start

Sample application used for training "Continuous Delivery Jump Start"
Java
11
star
52

build-analysis-demo

Build data analysis applications
Kotlin
10
star
53

santa-tracker-performance

Performance tests for Santa Tracker Android project
Shell
9
star
54

gradle-org-conventions-plugin

Java
9
star
55

perf-android-large-2

Another large Android build for performance experiments
9
star
56

gradle-hello-world-plugin

Groovy
9
star
57

gradle-issue-reproducer

Template repository for providing Gradle issue reproducers
9
star
58

tooling-commons

A small layer on top of the Gradle Tooling API that provides the Tooling Client and other convenience useful for IDE integration.
Java
9
star
59

develocity-testing-annotations

Common annotations for Develocity and Test Retry
Java
8
star
60

gradle-profiler-plugin

Java
8
star
61

jfr-polyfill

A polyfill for JDK Flight Recorder (JFR) to avoid errors on JDKs that don't support JFR yet
Java
8
star
62

configuration-cache-report

Kotlin
7
star
63

gradle-benchmark-base

Base scenarios for Gradle Profiler to benchmark Gradle builds
7
star
64

common-custom-user-data-maven-extension

Maven extension that enhances published build scans by adding a set of tags, links and custom values that have proven to be useful for many projects building with Develocity.
Java
7
star
65

bt-dev-prod-data-collector

Data collector for Gradle Build Tool Developer productivity metrics
Kotlin
7
star
66

gradle-hazelcast-plugin

Groovy
6
star
67

gradle-enterprise-build-optimization-experiments

Self-guiding experiments to optimize the performance of your Gradle and Maven builds with Gradle Enterprise.
6
star
68

gradle-rules-configuration-workshop

6
star
69

maven-build-cache-unstable-inputs-samples

An example project containing a build with unstable inputs
Java
6
star
70

gradle-project-templates

Learning day experiment: project init templates for Gradle
Java
5
star
71

source-resolution-demo

Java
5
star
72

greeting-plugin-example

Java
5
star
73

gradle-dependency-constrain

Java
5
star
74

develocity-bamboo-plugin

Develocity plugin for Bamboo
Java
4
star
75

community

Gradle Community content
HTML
4
star
76

stable-plugins-dsl

Getting the plugins {} DSL block out of incubation
Java
4
star
77

github-actions

Shared Github Actions
TypeScript
3
star
78

ide-smoke-tests

Java
3
star
79

gradle-all

A composite build that includes all the pieces of Gradle
Kotlin
3
star
80

ge-export

Java
3
star
81

webinar-dep-mgmt-part-1

Kotlin
3
star
82

develocity-gitlab-templates

GitLab CI/CD templates to automatically connect Gradle/Maven builds to Develocity
3
star
83

integrations

A repository for Gradle Integrations and the related knowledge base
3
star
84

gradle-performance

Gradle performance benchmarks using the Gradle build tool itself
Shell
3
star
85

provider-api-migration-testbed

A testbed to try out mitigation strategies for the provider API migration
Kotlin
3
star
86

gradle-model-vis

JavaScript
3
star
87

perf-native-large

A Place to Profile Particularly Prickly Projects
C
3
star
88

gradle-groovy-all

Replacement for groovy-all.jar discontinued in Groovy 2.5. This is intended to be used with Gradle only.
Kotlin
3
star
89

apachecon2021

Instructions and code repository for the ApacheCon 2021 Gradle Virtual Booth Event
2
star
90

kotlin-relocation-test

Cache relocatability test for Kotlin using Spek
Groovy
2
star
91

perf-android-local-repo

Java
2
star
92

api-evolution-demo

Demo of API evolution tricks
Java
2
star
93

Compilation-Avoidance-Experiment

A sample project for running comparative performance tests on build tools
Java
2
star
94

webinar-gradle-6

Webcast: What's New In Gradle 6.0?
Kotlin
2
star
95

ge-customer-support-zendesk-theme

Our custom zendesk theme used for support.gradle.com
Handlebars
2
star
96

build-tool-issue-automation-actions

Actions for Github issue automation
JavaScript
2
star
97

gradle-20388-multiple-toml

Example for solving gradle issue #20388
Kotlin
2
star
98

native-samples-cpp-library

A C++ library referenced by the Gradle C++ source dependencies samples
C++
2
star
99

impact_analysis

2
star
100

model-app

Java
2
star