How secure is using Maven?

Question

What are the risks and possibilities or scenarios whereby someone sets up masquerades of maven repositories and/or ip streams to provide masqueraded library copies of the origin

Answer 1

If you use well-known repositories (central maven repository, jboss repository) it is very low possibility of injecting harmful code. Computer virus, your ISP, or ISP of your ISP to do so, must to mess in DNS servers, or change routing paths for some set of destinations. I think that's rather unlikely - the same is not only about maven repos but for all internet services (email, http, voip and so on). What's more the same risk is with downloading JARs directly from project sites.
Anyway, if you want to have a total control you can set up your own maven repository (http://nexus.sonatype.org/)

Every file available in the repository should have md5 or sha checksum generated - this way you can validate if what you downloaded is really what you wanted. But - if the attacker (virus) is smart enough to intercept your data transfer and mess in JAR files he will be also smart enough to intercept md5/sha checksums. The defense against it is to provide PGP signatures both for checksums and artifacts - release artifacts uploaded to central repo are forced to do so (.asc files)

The good idea is to use Nexus Professional - you would be able to configure procurement suite to check PGP signature against a public key server each time artifact is downloaded. More information about PGP signatures with maven can be found here:

https://docs.sonatype.org/display/Repository/How+To+Generate+PGP+Signatures+With+Maven

http://www.sonatype.com/people/2012/03/the-first-line-of-defense-checksums-and-pgp-signatures-in-repositories/