Java Missing Package Lock
Description
Detects when a Gradle project has declared dependencies but is missing the gradle.lockfile, which makes the build vulnerable to supply chain attacks. Without a lockfile, dependency versions can drift or be hijacked, potentially introducing malicious code.
Detection Strategy
• Checks if the build.gradle file contains a 'dependencies' section
• Verifies if a gradle.lockfile exists in the same directory as the build.gradle file
• Reports a vulnerability when dependencies are declared but no gradle.lockfile is present
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.