From 161e9a32c996079e5ba0cb48b96dbef1d0a43ce6 Mon Sep 17 00:00:00 2001
From: Tomo <tomodachi94@protonmail.com>
Date: Wed, 30 Oct 2024 00:20:19 +0000
Subject: [PATCH] gradle_6: mark very insecure

v6 is vulnerable to a number of vulnerabiliites:
* CVE-2021-29429, affecting confidentiality
* CVE-2021-29427, affecting confidentiality and can lead to dependency poisoning
* CVE-2021-29428, a privilege escalation involving the temp dir
* CVE-2021-32751, arbitrary code execution
---
 .../tools/build-managers/gradle/default.nix        | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/tools/build-managers/gradle/default.nix b/pkgs/development/tools/build-managers/gradle/default.nix
index 52800a8694f02..970dcf2d638f9 100644
--- a/pkgs/development/tools/build-managers/gradle/default.nix
+++ b/pkgs/development/tools/build-managers/gradle/default.nix
@@ -23,7 +23,11 @@ rec {
         "x86_64-darwin"
         "x86_64-linux"
         "x86_64-windows"
-      ]
+      ],
+
+      # Extra attributes to be merged into the resulting derivation's
+      # meta attribute.
+      meta ? {}
     }:
 
     { lib
@@ -172,7 +176,7 @@ rec {
         license = licenses.asl20;
         maintainers = with maintainers; [ lorenzleutgeb liff ];
         mainProgram = "gradle";
-      };
+      } // meta;
     });
 
   # NOTE: Default JDKs that are hardcoded below must be LTS versions
@@ -195,6 +199,12 @@ rec {
     version = "6.9.4";
     hash = "sha256-PiQCKFON6fGHcqV06ZoLqVnoPW7zUQFDgazZYxeBOJo=";
     defaultJava = jdk11;
+    meta.knownVulnerabilities = [
+      "CVE-2021-29429: '[...]files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle[...]'"
+      "CVE-2021-29427: '[...]there is a vulnerability which can lead to information disclosure and/or dependency poisoning[...] In some cases, Gradle may ignore content filters and search all repositories for dependencies. This only occurs when repository content filtering is used from within a `pluginManagement` block in a settings file.'"
+      "CVE-2021-29428: '[...]the system temporary directory can be created with open permissions that allow multiple users to create and delete files within it. Gradle builds could be vulnerable to a local privilege escalation from an attacker quickly deleting and recreating files in the system temporary directory.'"
+      "CVE-2021-32751: '[...]start scripts generated by the `application` plugin and the `gradlew` script are both vulnerable to arbitrary code execution when an attacker is able to change environment variables for the user running the script[...]'"
+    ];
   };
 
   wrapGradle = {