Malicious Gradle wrapper (adding preferences)

[TheBlob42]

Describe the bug

I currently see the following error message when opening one of my Java projects at work:

LSP :: Security Warning! The gradle wrapper '<path to project>/gradle/wrapper/gradle-wrapper.jar' could be malicious. If you trust it, please add 
`{"sha256": "84677e9e0688a0ad52747e41c3dc660185084d11af2f8dffb9a48aac677315c3",
"allowed": true}`
 to the `java.import.gradle.wrapper.checksums` preference.

We are indeed using a slightly modified version of the gradle wrapper for some projects and as far as I understand this issue and the warning we now have to add exceptions for any wrapper which was not released by the Gradle team itself.

The problem is that I have now idea how to set the required configuration option 🙈

From my research I fount that VSCode uses settings.json files either for the user or per workspace, but are they even considered by the Emacs LSP integration? I also found this issue for lsp-mode but did not fully understand the examples. Is there any documentation about such configuration options maybe? 🤔

If you consider this to be a more general question for the lsp-mode project, I would ask my question over there, but since it is very Java related I though this would be the right place to find help.

[TheBlob42]

@yyoncho thank you for the quick update.

Just one more question: Since the variable for lsp-java-imports-gradle-wrapper-checksums is a lsp-string-vector, how do I add the checksums correctly (since these are "regular" JSON objects and also include the allowed property)? 🤔

[yyoncho]

Since the variable for lsp-java-imports-gradle-wrapper-checksums is a lsp-string-vector,

This is a bug in the generator, it should be a vector of objects:

(setq lsp-java-imports-gradle-wrapper-checksums [(
   :sha256 "504b38a11c466aecb2f5c0b0d8ce0ed7ffa810bf70b9b7a599c570051be8fb4e"
   :allowed t)])

This should work, I will fix the type.

[TheBlob42]

Perfekt 👍 thank you for the explanation and the example