top | item 40509427

(no title)

There are multiple attack vectors via the supply chain that this new settings prevents.

Sure, if the compromised library is one of your core libraries that runs during build, test and runtime, then this does not help. But there are

  test libraries only
  compile time only libraries (hello lombok?)
  transitive dependencies that may not be used during runtime (or run only in rare code paths)

Sometimes compromising the build environment is more valuable than the app's runtime environment - e.g. it may allow the attacker to compromise all apps.

Explicitly enabling a particular annotation processor I want to run is small price to pay for the increased security.

discuss

beeboobaa3|1 year ago

> test libraries only

Typically runs during build (unit tests), just like annotation processors.

> compile time only libraries (hello lombok?)

Right, annotation processors. This is what we're discussing.

> transitive dependencies that may not be used during runtime (or run only in rare code paths)

Irrelevant. If they are compromised they will just set themselves up as an SPI and run on JVM start.