Audit - Rules - Ivy

This group contains audit rules that look for potential problems in Ivy scripts.



Dynamic Dependency in Ivy

Using a dynamic dependency version is a security risk.

This audit rule violates the usage of dynamic dependency version in Ivy configuration files.

Security Implications
A dynamic dependency version adds to the number of undefined variables at the time of build that can be used by an attacker. More than that, you cannot validate the quality and security issues of the code used in the build. This is an additional security risk that should be taken into consideration.

The following part of an Ivy script would be flagged as a violation because it declares a dependency with dynamically defined revision:

    <dependency org="yourorg" name="yourmodule9" rev="9.1+" conf="A,B->default">
        <include name="art1" type="jar" conf="A,B"/>
        <include name="art2" type="jar" conf="A"/>

External Dependency in Ivy