Fortify complains about Maven's pom.xml external schemas

Question

Based on Fortify (static code analyzer by HP) report, apparently the following lines of pom.xml is vulnerability:

    <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
...

Because

Build Misconfiguration: External Maven Dependency Repository: This maven build script relies on external sources, which could allow an attacker to insert malicious code into the final product or to take control of the build machine.

It's somewhat false-positive detection, but according to my company paranoid security policies I cannot suppress this. So now pom.xml looks like this:

<project>
...

It's still builds/compiles correctly. IDE still recognizes file as a valid Maven Project Object Model file. Nothing bad happened.

I was wondering is there any possible scenario where this modification might cause some real issues? For example some known tool or parser won't recognize this as a valid Maven's project file. Thanks.

Answer 1

Just dig into this issue and it turns out Fortify is NOT complains on Maven Schema. It complains you are using external maven repository (central, jboss and so on) and your POM don't have a proper position to mark this issue (i.e. you don't have any repository defined in POM).

As fortify said:

Under Maven, instead of listing explicit URLs from which to retrieve the dependencies, developers specify the dependency names and versions and Maven relies on its underlying configuration to identify the server(s) from which to retrieve the dependencies. For commonly used components this saves the developer from having to researching dependency locations.

Two distinct types of attack scenarios affect these systems: An attacker could either compromise the server hosting the dependency or compromise the DNS server the build machine uses to redirect requests for hostname of the server hosting the dependency to a machine controlled by the attacker.

You got this vulnerability because you are using external repositories, which give attacker chances to compromise your system by inject tampered dependencies. By explicit declare internal repositories, your dependencies are (theoretically) protected by your infrastructures.

If you have internal repositories, things like below may be helpful to solve the problem:

<repositories>
  <repository>
    <id>central</id>
    <url>http://172.28.60.140/repository/maven-public</url>
  </repository>
  <repository>
    <id>corp-internal</id>
    <url>http://172.28.60.140/repository/maven-private</url>
  </repository>
</repositories>

Watch out the repository id central, it is necessary since all POM are inherit from super POM. By override it, you replace the default central repository with your internal one.

---

Remove schemaLocation make Fortify failed to recognize this xml as POM, hence can't determinate the risk. It doesn't fix anything but hide it.