Skip Navigation

Sonatype’s ongoing commitment to Maven Central

Headshot_HExagon_Brian_Fox-removebg-preview

By: Brian Fox

See Bio

As stewards of Maven Central for over 16 years, Sonatype has played a leading role in shaping the Software Supply Chain space through policy setting and managing Central and our software supply chain product portfolio. The security of these systems is of utmost importance to us.

We have consistently advocated for the systematic usage of coordinates and namespaces to address critical issues in various ecosystems. Maven Central enforces namespaces, which have proven effective in preventing intentionally malicious typosquatting attacks, a problem prevalent in other ecosystems. I have previously discussed this issue extensively on this blog and recently addressed it in response to the U.S. Cybersecurity and Infrastructure Security Agency RFC, which I chaired at the OpenSSF.

We were recently contacted about research exploring various aspects of the Maven, Gradle, Java, and Android ecosystem, called “MavenGate.” The disclosure highlights additional areas of concern that cover many different aspects. I’ll try to address them below:

Expired DNS 

The outlined attack strategy involves searching for expired domains to establish credentials for publishing malicious components on Maven Central. However, this attack is not feasible due to the automation in place. While DNS validation is used for namespace validation, it only applies to new ones. Attempts to register an existing namespace will fail, and we have manual validation procedures in place. To further enhance security, we have disabled all accounts associated with expired domains and GitHub projects. Any future attempts to leverage current and future expired domains will undergo a thorough assessment by our team, ensuring evidence of ownership of not just the domain but also the underlying project.

Unshared public key 

The disclosure highlights successful artifact publication with a non-publicly shared key, contrary to the standard policy. We have identified a regression in the public key validation and have now resolved this.

Recognizing the limitations of PGP, we are collaborating with the SigStore team to implement Sigstore publication and validation for Maven Central. This project, involving extensive infrastructure updates, aims to simplify artifact publication and validation for the community.

Untrusted repositories 

The disclosed attack scenario involves leveraging multiple repositories, such as Maven Central and Jitpack, to insert untrusted artifacts into a build—a form of Dependency Confusion attack. 

Repository Managers, including Sonatype Nexus Repository, have long been the standard for Enterprise repository management. Using a repository manager to control the repositories your developers and builds fetch from is best practice. Additional controls, such as Sonatype Repository Firewall, provide further protections against namespace and dependency confusion, as well as malicious component detection.

In summary, leaving the source of dependencies in your builds open to random internet repositories exposes you to numerous potential attacks. Utilize a repository manager to secure your enterprise.

Other Concerns 

The disclosure mentions challenges from other repositories, including the lack of signatures. We agree that signing is crucial and believe that our efforts to promote Sigstore will encourage other repositories to adopt similar practices.

Sonatype’s commitment to the security and integrity of Maven Central and the broader software supply chain remains unwavering. We are tackling the evolving challenges in cybersecurity by implementing strict policies, innovative collaborations, and continuous vigilance. As we move forward, we’ll continue to advocate for best practices and collaborate with the community to address new vulnerabilities, ensuring Maven Central remains a trusted and secure hub for developers worldwide.