Maven Avoid Public Repositories
ID |
avoid_public_repositories_maven |
Severity |
high |
Family |
Avoid public repositories |
Description
Some organizations may have the policy of using private repositories only, with a carefully curated approach to load dependencies into their private repository from the public repositories.
This detector checks if in the configuration there is a public repository configured. Or only has the private repositories configured.
The public repositories configured to check are:
- https://repo.maven.apache.org/maven2
- https://repo1.maven.org/maven2
- https://oss.sonatype.org/content/repositories/releases
- https://packages.atlassian.com/mvn/maven-atlassian-external
- https://repo.hortonworks.com/content/repositories/releases
- https://repo.spring.io/plugins-release
- https://repo.spring.io/libs-milestone
- https://jcenter.bintray.com
- https://maven.atlassian.com/content/repositories/atlassian-public
- https://repository.jboss.org/nexus/content/repositories/ea
- https://nexus.bedatadriven.com/content/groups/publicyou can change, to add or remove repositories, in the public-repositories parameter.
You can configure private repositories, in the private-repositories parameter.
| If you configure private repositories, the public will not apply. The detector only check that url repositories in settings.xml or pom.xml files are in private repositories configured. |
Security
Organizations have the policy of restricting artifacts to private inner repositories for security reasons. For example, to avoid download artifacts that have not been checked by the security team.
Examples
<repository> <id>public</id> ... <url>https://jcenter.bintray.com</url> <layout>default</layout> </repository>
Mitigation / Fix
You can remove the repositories from the configuration files or use mirrors to use only the private repositories. See https://maven.apache.org/guides/mini/guide-mirror-settings.html
<settings>
...
<mirrors>
<mirror>
<id>internal-repository</id>
<name>Private Maven Repository</name>
<url>https://my.private.repo/</url>
<mirrorOf>*</mirrorOf>
</mirror>
</mirrors>
...
</settings>