Retrieving build dependencies using a dynamic version can leave the build system vulnerable to malicious binaries or cause the system to experience unexpected behavior.
The Apache Ivy automated dependency management system allows users to specify a version status, known as a dynamic revision, for a dependency instead of listing the specific. If an attacker is able to compromise the dependency repository or trick the build system into downloading dependencies from a repository under the attacker's control, then a dynamic revision specifier may be all that's needed for the build system to silently download and run the compromised dependency. Beyond the security risks, dynamic revisions also introduce an element of risk on the code quality front: Dynamic revisions place the security and stability of your software under the control of the third-parties who develop and release the dependencies your software uses.
At build time, Ivy connects to the repository and attempts to retrieve a dependency that matches the status listed.
Ivy accepts the following dynamic revision specifiers:
- latest.integration
: Selects the latest revision of the dependency module.
- latest.[any status]
: Selects the latest revision of the dependency module with at minimum the specified status. For example, latest.milestone
will select the latest version that is either a milestone or a release, and latest.release
will only select the latest release.
- Any revision that ends in +
: Selects the latest sub-revision of the dependency module. For example, if the dependency exists in revisions 1.0.3, 1.0.7 and 1.1.2, a revision specified as 1.0.+
will select revision 1.0.7.
- Version ranges: Mathematical notation for ranges, such as < and >, can be used to match a range of versions.
Example 1: The following configuration entry instructs Ivy to retrieve the latest release version of the clover component:
<dependencies>
<dependency org="clover" name="clover"
rev="latest.release" conf="build->*"/>
...