Integrating Gradle builds with Github's Actions promotes the best security practices among Gradle users. To do this there's a new official and open-source GitHub Action that generates complete and accurate information about dependencies in Gradle projects courtesy of Dependabot. 

Supply chain security is all the rage right now. The Linux Foundation explains it well:

To build useful software we don't reinvent the wheel but we base on work already done coming bundled in the form of libraries.The problem is that even a mediocre open source project can have loads of such dependencies which themselves depend on others, forming a lengthy chain.Not a problem per se unless malicious code or security vulnerability finds its way anywhere in this chain.

A way of strengthening against it is by integrating security in the software's development life cycle rather than treating it as an aftermath. To do this, GitHub which is where all the code nowadays resides, offers Dependabot which is a bot that alerts you when your repository is using a software dependency with a known vulnerability, see GitHub Dependabot Now Warns Of Vulnerabilities. Since last year a new Export SBOM functionality has been added which generates an NTIA-compliant software bills of materials (SBOMs) on demand.

As detailed in Github Provides Self-Service SBOMs, Github then lets you upload your SBOMs to the Dependency Graph service, which will then scan your dependencies for known vulnerabilities in order to receive Dependabot alerts if any are present. It has also introduced a GitHub Action which bakes the SBOM generating process into the repository's CI deliverables.

Since Gradle is one of the most used build tools among GitHub users, the partnership with Github has forged the new Dependency Submission Action for Gradle, an official and open-source GitHub Action that generates complete and accurate information about dependencies in Gradle projects which uploads to GitHub dependency graph. This information allows maintainers to view the dependencies of their projects in GitHub and get notified when vulnerable dependencies are detected.

The issue usually is that consumers find it often difficult to map a vulnerability entry to the package versions they are using. To alleviate that and to provide complete and accurate dependency versions, the Dependency Submission Action for Gradle applies a specialized Gradle plugin which runs a small Gradle build that resolves all project dependencies. This means that the submitted dependency versions are exactly the same as those actually used by the project.

So when a vulnerable dependency is detected, project admins and maintainers can be automatically notified via Dependabot alerts. To enable it for basic usage, you need a simple YAML file in .github/workflows/ directory of your repository, for example, .github/workflows/dependency-submission.yml:

That might remedy one part of the equation of the supply chain security; finding out if a decency is vulnerable. The other part, assuring that the source of the dependency is legit, is a bit more involved. This is where the solutions of signing your artifacts enter the picture, with tools like sigstore-java for example which we introduced in Sigstore Java - Sign And Verify Your Java Builds:

sigstore-java, currently under development, is a tool for signing and verifying Java package distributions with Sigstore's keyless signing. Sigstore signing empowers software developers to securely sign software artifacts such as release files, container images and binaries. These signatures are then stored in a tamper-proof public log - for free.

To make it easier to sign and publish to Maven central, the signing activity is going to be incorporated into Java's build tools
Maven and Gradle. The intent will be for Gradle versions 7.3 or higher to support Sigstore signing, while verification will require version 8.2+. This, however, hasn't happened yet, so look out for it in the future.

Of course, there's much more to do in securing the supply chain which the latest ChainGuard "SLSA++ A Survey of Software Supply Chain Security" looks in depth by examining how the industry is adopting the best practices. For more details on that make sure to check out my article, Surveying Software Supply Chain Security.

More Information

The dependency-submission action

GitHub Actions for Gradle builds

Related Articles

GitHub Dependabot Now Warns Of Vulnerabilities

Github Provides Self-Service SBOMs

Surveying Software Supply Chain Security

Insights Into Software Supply Chain Security 

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Comments

Make a Comment or View Existing Comments Using Disqus

or email your comment to: comments@i-programmer.info