Properties Missing Distribution Checksum

Description

Detects when Gradle configuration files are missing checksum verification for dependency downloads. Without checksum verification, attackers could potentially replace legitimate dependencies with malicious ones during the download process, compromising build security.

Weakness:

447 - Supply Chain Attack - Gradle

Category: Functionality Abuse

Detection Strategy

• Check if Gradle configuration files contain properties related to checksum verification

• Report a vulnerability when checksum verification settings are absent for dependency downloads

• Analyze each line in gradle.properties files looking for missing security verification properties

Vulnerable code example

distributionBase=GRADLE_USER_HOME
distributionPath=wrapper/dists
zipStoreBase=GRADLE_USER_HOME
zipStorePath=wrapper/dists
distributionUrl=https\://services.gradle.org/distributions/gradle-7.6.1-bin.zip  # Vulnerable: Missing distributionSha256Sum verification for download integrity

✅ Secure code example

distributionBase=GRADLE_USER_HOME
distributionPath=wrapper/dists
zipStoreBase=GRADLE_USER_HOME
zipStorePath=wrapper/dists
# Secure: SHA-256 verification ensures downloaded file integrity
distributionUrl=https\://services.gradle.org/distributions/gradle-7.6.1-bin.zip
distributionSha256Sum=6147605a23b4eff6c334927a86ff3508cb5d6722cd624c97ded4c2e8640f1f87

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.