Java Developer Tools

Audit - Rules - Ivy

Description
This group contains audit rules that look for potential problems in Ivy scripts.

Rules:

Details

Dynamic Dependency in Ivy

Summary
Using a dynamic dependency version is a security risk.

Description
This audit rule violates the usage of dynamic dependency version in Ivy configuration files.

Security Implications
A dynamic dependency version adds to the number of undefined variables at the time of build that can be used by an attacker. More than that, you cannot validate the quality and security issues of the code used in the build. This is an additional security risk that should be taken into consideration.

Example
The following part of an Ivy script would be flagged as a violation because it declares a dependency with dynamically defined revision:

    <dependency org="yourorg" name="yourmodule9" rev="9.1+" conf="A,B->default">
        <include name="art1" type="jar" conf="A,B"/>
        <include name="art2" type="jar" conf="A"/>
    </dependency>

External Dependency in Ivy

Authentication required

You need to be signed in with Google+ to do that.

Signing you in...

Google Developers needs your permission to do that.