CWE-1104: Maven POM dependence upon Bintray/JCenter

Author: JLLeitschuh

java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.qhelp

@@ -0,0 +1,45 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p><a href="https://jfrog.com/blog/into-the-sunset-bintray-jcenter-gocenter-and-chartcenter/">Bintray and JCenter are shutting down on May 1st, 20201</a>.
+Relying upon repositories that are deprecated or slated to be shutdown can have unintended consequences;
+for example, artifacts being resolved from different artifact server or total breakage of the CI build.</p>
+
+<p>When artifact repositories are left unmaintained for a long period of time, vulnerabilities may emerge.
+Theoretically, this could allow attackers to inject malicious code into the artifacts that you are resolving and infect build artifacts
+that are being produced. This can be used by attackers to perform a
+<a href="https://en.wikipedia.org/wiki/Supply_chain_attack">Supply chain attack</a>
+against your project's users.
+</p>
+
+</overview>
+<recommendation>
+
+<p>Always use the cononical repository for resolving your dependencies.</p>
+
+</recommendation>
+
+<example>
+
+<p>This examples show examples of locations in Maven POM files where artifact repository upload/download is configured.
+The use of Bintray in any of these locaitons is not advised.
+</p>
+
+<sample src="bad-bintray-pom.xml" />
+
+</example>
+<references>
+<li>
+  Blog:
+  <a href="https://jfrog.com/blog/into-the-sunset-bintray-jcenter-gocenter-and-chartcenter/">
+    Into the Sunset on May 1st: Bintray, JCenter, GoCenter, and ChartCenter
+  </a>
+</li>
+
+<!--  LocalWords:  CWE maven dependencies artifact jcenter bintray
+ -->
+
+</references>
+</qhelp>

java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.ql

@@ -0,0 +1,33 @@
+/**
+ * @name Depending upon JCenter/Bintray as an artifact repository
+ * @description JCenter & Bintray are deprecated
+ * @kind problem
+ * @problem.severity error
+ * @precision very-high
+ * @id java/maven/dependency-upon-bintray
+ * @tags security
+ *       external/cwe/cwe-1104
+ */
+
+import java
+import semmle.code.xml.MavenPom
+
+private class DeclaredRepository extends PomElement {
+  DeclaredRepository() {
+    this.getName() = "repository" or
+    this.getName() = "snapshotRepository" or
+    this.getName() = "pluginRepository"
+  }
+
+  string getUrl() { result = getAChild("url").(PomElement).getValue() }
+
+  predicate isBintrayRepositoryUsage() {
+    getUrl().matches("%.bintray.com%")
+  }
+}
+
+from DeclaredRepository repository
+where repository.isBintrayRepositoryUsage()
+select repository,
+  "Downloading or uploading artifacts to deprecated repository " +
+    repository.getUrl()

java/ql/src/Security/CWE/CWE-1104/bad-bintray-pom.xml

@@ -0,0 +1,54 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>com.semmle</groupId>
+    <artifactId>parent</artifactId>
+    <version>1.0</version>
+    <packaging>pom</packaging>
+
+    <name>Bintray Usage</name>
+    <description>An example of using bintray to download and upload dependencies</description>
+
+    <distributionManagement>
+        <repository>
+            <id>jcenter</id>
+            <name>JCenter</name>
+            <!-- BAD! Don't use JCenter -->
+            <url>https://jcenter.bintray.com</url>
+        </repository>
+        <snapshotRepository>
+            <id>jcenter-snapshots</id>
+            <name>JCenter</name>
+            <!-- BAD! Don't use JCenter -->
+            <url>https://jcenter.bintray.com</url>
+        </snapshotRepository>
+    </distributionManagement>
+    <repositories>
+        <repository>
+            <id>jcenter</id>
+            <name>JCenter</name>
+            <!-- BAD! Don't use JCenter -->
+            <url>https://jcenter.bintray.com</url>
+        </repository>
+    </repositories>
+    <repositories>
+        <repository>
+            <id>jcenter</id>
+            <name>JCenter</name>
+            <!-- BAD! Don't use Bintray -->
+            <url>https://dl.bintray.com/groovy/maven</url>
+        </repository>
+    </repositories>
+    <pluginRepositories>
+        <pluginRepository>
+            <id>jcenter-plugins</id>
+            <name>JCenter</name>
+            <!-- BAD! Don't use JCenter -->
+            <url>https://jcenter.bintray.com</url>
+        </pluginRepository>
+    </pluginRepositories>
+</project>

java/ql/test/query-tests/security/CWE-1104/semmle/tests/A.java

@@ -0,0 +1,2 @@
+public class A {
+}

java/ql/test/query-tests/security/CWE-1104/semmle/tests/MavenPomDependsOnBintray.expected

@@ -0,0 +1,5 @@
+| bad-bintray-pom.xml:17:9:22:22 | repository | Downloading or uploading artifacts to depricated repository https://jcenter.bintray.com |
+| bad-bintray-pom.xml:23:9:28:30 | snapshotRepository | Downloading or uploading artifacts to depricated repository https://jcenter.bintray.com |
+| bad-bintray-pom.xml:31:9:36:22 | repository | Downloading or uploading artifacts to depricated repository https://jcenter.bintray.com |
+| bad-bintray-pom.xml:39:9:44:22 | repository | Downloading or uploading artifacts to depricated repository https://dl.bintray.com/groovy/maven |
+| bad-bintray-pom.xml:47:9:52:28 | pluginRepository | Downloading or uploading artifacts to depricated repository https://jcenter.bintray.com |

java/ql/test/query-tests/security/CWE-1104/semmle/tests/MavenPomDependsOnBintray.qlref

@@ -0,0 +1 @@
+Security/CWE/CWE-1104/MavenPomDependsOnBintray.ql

java/ql/test/query-tests/security/CWE-1104/semmle/tests/bad-bintray-pom.xml

@@ -0,0 +1,54 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>com.semmle</groupId>
+    <artifactId>parent</artifactId>
+    <version>1.0</version>
+    <packaging>pom</packaging>
+
+    <name>Bintray Usage Testing</name>
+    <description>An example of using bintray as a repository</description>
+
+    <distributionManagement>
+        <repository>
+            <id>jcenter</id>
+            <name>JCenter</name>
+            <!-- BAD! Don't use JCenter -->
+            <url>https://jcenter.bintray.com</url>
+        </repository>
+        <snapshotRepository>
+            <id>jcenter-snapshots</id>
+            <name>JCenter</name>
+            <!-- BAD! Don't use JCenter -->
+            <url>https://jcenter.bintray.com</url>
+        </snapshotRepository>
+    </distributionManagement>
+    <repositories>
+        <repository>
+            <id>jcenter</id>
+            <name>JCenter</name>
+            <!-- BAD! Don't use JCenter -->
+            <url>https://jcenter.bintray.com</url>
+        </repository>
+    </repositories>
+    <repositories>
+        <repository>
+            <id>jcenter</id>
+            <name>JCenter</name>
+            <!-- BAD! Don't use Bintray -->
+            <url>https://dl.bintray.com/groovy/maven</url>
+        </repository>
+    </repositories>
+    <pluginRepositories>
+        <pluginRepository>
+            <id>jcenter-plugins</id>
+            <name>JCenter</name>
+            <!-- BAD! Don't use JCenter -->
+            <url>https://jcenter.bintray.com</url>
+        </pluginRepository>
+    </pluginRepositories>
+</project>