Fortify complains about external Maven schemas pom.xml
Based on the Fortify report (a static code analyzer from HP), it is clear that the following pom.xml vulnerabilities are as follows:
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
...
Insofar as
Misconfiguration Build: External Maven Dependency Repository . This maven build script relies on external sources that could allow an attacker to inject malicious code into the final product or take control of the build machine.
This is a somewhat false positive detection, but according to my paranoid security policies, I cannot suppress it. So now the pom.xml looks like this:
<project>
...
It still builds / compiles correctly. The IDE still recognizes the file as a valid Maven Object Model file. Nothing bad happened.
I was wondering if there is a possible scenario where this modification could cause some real problems? For example, some well-known tool or parser does not recognize this as a valid Maven project file. Thank.
source to share