This message was deleted Gradle Community #community-support

Join Slack

This message was deleted.

# community-support

Slackbot

03/02/2023, 2:33 AM

This message was deleted.

Jonathan Leitschuh

03/02/2023, 2:42 AM

What part of the build is making the request?

Dan Schaffer

03/02/2023, 2:46 AM

Looks like configuration. See attached log from the build.

log.txt

ephemient

03/02/2023, 3:00 AM

the ear plugin itself doesn't pull in any external resources, https://github.com/gradle/gradle/blob/v4.10.3/subprojects/ear/src/main/java/org/gradle/plugins/ear/EarPlugin.java

Dan Schaffer

03/02/2023, 3:59 AM

But what is making gradle reach out to the CDN on port 80 and is there a way to prevent it from doing that?

ephemient

03/02/2023, 4:03 AM

maybe a buildscript repository? hard to say without seeing more of your configuration

Dan Schaffer

03/02/2023, 4:35 AM

I packaged up our pretty complex gradle configuration in the attached. The key files are the top level build.gradle, settings.gradle and the product/ear/ear.gradle.

gradle.tar.gz

Dan Schaffer

03/02/2023, 4:41 AM

there is a buildscript in the top level build.gradle

ephemient

03/02/2023, 5:33 AM

stubbing it out to the best of my ability and running through a sniffing proxy, configuring that doesn't result in any insecure HTTP fetches for me

ephemient

03/02/2023, 5:34 AM

perhaps your maven server is redirecting some assets to other HTTP URLs

Vampire

03/02/2023, 12:47 PM

Also, in your posted log you do not show the request that is made that should be logged on

--info

or possibly

--debug

and a

--stacktrace

would maybe also be helpful to see where exactly the request is coming from.

Vampire

03/02/2023, 12:51 PM

Btw. be aware that you just published passwords

Dan Schaffer

03/02/2023, 1:12 PM

oh dear 😞

Dan Schaffer

03/02/2023, 1:12 PM

I tried the various info debug stacktrace and scan options but none yielded any additional info

Dan Schaffer

03/02/2023, 1:14 PM

thanks for looking at this guys!

Vampire

03/02/2023, 3:19 PM

Are you sure there is no additional info? Sometimes, you are just not seeing it, but people with more experience reading Gradle logs might see additional information. Especially the

--stacktrace

output must provide additional helpful information, as in your shown output there is no information at all where the issue comes from.

Dan Schaffer

03/02/2023, 5:05 PM

Thanks for being so helpful Vampire. Attaching a full log with --debug and --stacktrace

fullLog.txt

Vampire

03/02/2023, 7:56 PM

There, all necessary info is in the stacktrace. 🙂 While Gradle tries to parse

product/ear/src/main/application/META-INF/application.xml

this exception happens. So it should be something in your descriptor that references that URL that is accessed.

Dan Schaffer

03/03/2023, 3:02 PM

oh excellent. One of my colleagues just hypothesized the same thing when he looked at it! You the man vampire!

Jonathan Leitschuh

03/03/2023, 3:04 PM

Was the XML parser loading a DTD over HTTP or something?

Dan Schaffer

03/03/2023, 3:06 PM

That's the hypothesis. About to test

Jonathan Leitschuh

03/03/2023, 3:07 PM

Running in

--offline

mode was how I found this vulnerability in Checkstyle: https://nvd.nist.gov/vuln/detail/CVE-2019-9658

Dan Schaffer

03/03/2023, 9:44 PM

this did indeed prove to be the solution. Thanks so much folks!

👌 1

10 Views

Open in Slack

Previous Next