What is a DNS-Based Maven Group Id?

Question

I am studying if our Java application is vulnerable to Dependency Confusion and came over this link . The second condition says:

There is a remote repository configured that lets anyone claim group ids without verification or you use internal packages with a group id that’s not DNS-based.

What does it mean to use a dependency that the group id is not DNS-based? How do you classify a dependency as DNS-based? Never heard anything like that before, I'd be glad if you can enlighten me.

Answer 1

It means, that the group ID should start with a reversed domain name you control. Eg, if you control the domain example.com, you should choose com.example as group ID, or choose a group ID that starts with com.example. The wording DNS may be a little bit misleading here, as this is more about the domain name, and less about the system (servers). See here: Maven - Guide to Naming Conventions

The Dependency Confusion attack is about an attacker who embeds malicious code into a new version of a (popular) piece of software and publishes it to a public repository, so that it will automatically be integrated into applications that always use the latest version of the software. Therefore, it is crucial that the repository can somehow verify that the person who posts a new software artifact is authorized to publish that particular artifact. If, for example, reversed group ID of the artifacts and user email domain name don't match, then this could be an indication that the user should not be authorized to publish that artifact, as he is probably not part of the organization, that is responsible for maintaining the artifact.