Maven: security problems by repository and pluginRepositories defined in pom?

Imagine the current situation:

You are an developer and want to participate in a new (open source) project. The project can be build via different ways - one of them is Maven.

If you now download the source code repository and start the build process your system is exposed to multiple security risks from my understanding:

1. The default Maven [plugin-]repositories are accessed via http - via an Man-in-the-Middle attack someone could could send you manipulated packages. In case of an intercepted plugin-repository this could lead to injected code executed as part of the build process

2. In the file pom.xml you can add 3rd party repositories and plugin-repositories. If an attac开发者_StackOverflow社区ker manages to add his own plugin-repository to a project pom.xml (e.g. of an open source project) and other can be attacked by those plugins. In case of the 3rd party repositories I am not sure - can a repository defined in a project pom.xml override repositories defined at user or system level?

From my point of view this are severe security problems - or is there a mistake description?

If I have a Maven based project - how can I make sure that it is safe to run Maven? Is there a list of repositories that are trustworthy (contain only code that does not harm the computer it is executed on)?

At the first glance your arguments are correct. But there there are some issues to be aware of or which are not the simple to solve for an potential attacker.

The repository which is used in the majority of cases is Maven Central which is under control of Sonatype (as far as i know). This means to have access to those machines and modify the contents of the repository itself or just inject some content which might be not that simple based on the checksums, but of course it does not make it impossible. Furthermore if you are downloading artifacts from the internet you have an up-to-date virus-scanner active which controls everything first before it will be put on your hard-drive. This is of course not 100% safe.

Coming to the second part: If you are using a project which defines repositories inside the pom this not "Best practice"...Ok...let us assume this. So you will use this "infected" project pom. But how has it be put into the project? This means the attacker must have commit access to the project which means in other words he has been shared the project for a long time. Furthermore other people of the project would have reviewed the commit...so this wouldn't be that simple but of course not impossible.

Based on the things i wrote before how could someone give the guaranty that a repository contains only "safe" artifacts? Who should control/check that? And how long would it take to get an artifact into that repository?

So the simple answer is: No it's not 100% safe to use Maven but if we think a little bit about that the internet is not 100% safe as well. In my opinion the risk via the internet is much higher than from a Maven repository, but of course we should ignore this.

The only possible solution for this is to use a Repository Manager which is the only source from where artifacts will be downloaded which means to configure the settings.xml to use only this. And very important that you control every artifact which is put into that repository and do some "security" checks on them. But who will do this and who has the time/money/resources for such things?