Supply chain attacks targeting Gradle builds are real, as demonstrated by a recent attack on MinecraftOnline via a compromised Gradle Wrapper. This post covers four attack vectors in the build process and provides concrete mitigations for each: validating Gradle Wrapper JAR checksums (with a dedicated GitHub Action), enforcing Gradle distribution checksums in gradle-wrapper.properties, enabling Gradle's dependency verification feature for third-party plugins and libraries, and inspecting build scripts before running any tasks. Both project maintainers and contributors are given specific guidance, including preferring local known-good Gradle distributions over untrusted wrappers and using throwaway environments for untrusted code.
Table of contents
Table of ContentsIntroductionHow to ensure Gradle wrapper integrity? #How to ensure Gradle distribution integrity? #How to ensure third party dependencies’ integrity? #How to ensure project integrity? #Conclusion #DiscussSort: