Maven Use HTTPS with remote repositories

ID

use_https_remote_repositories_maven

Severity

low

Family

Use HTTPS with remote repositories

Tags

reachable

Description

The access to remote repositories must be used with HTTPS protocol.

Security

If you use https protocol man-in-the-middle attacks can be avoided.

Examples

<repository>
  <id>public</id>
  ...
  <url>http://repo.example.com/repository</url>
  <layout>default</layout>
</repository>

Mitigation / Fix

You can remove the repositories from the configuration files or use HTTPS protocol if it is available.

In recent Maven versions, HTTP repositories are blocked by default, and the default blocking configuration should be changed explicitly for allowing HTTP. Please read release notes for Maven 3.8.1 for more details.