CG Manifest links to dead/insecure component downloadUrls

[247arjun]

500+ components (almost 20% of all components) in the Component Governance manifest have insecure HTTP links to their downloadUrl.

Additionally, many of the links are dead (HTTP 404, 501 etc.)

Example package that returns HTTP 404:
CG Manifest link: http://ftp.debian.org/debian/pool/main/t/ttf-arphic-uming/ttf-arphic-uming_0.2.20080216.1.orig.tar.gz

[247arjun]

List of dead links

HTTP 403

http://files.musepack.net/source/libmpcdec-1.2.6.tar.bz2
http://pypi.python.org/packages/source/b/blinker/blinker-1.4.tar.gz
http://pypi.python.org/packages/source/d/dtopt/dtopt-0.1.tar.gz
http://pypi.python.org/packages/source/f/fixtures/fixtures-3.0.0.tar.gz
http://pypi.python.org/packages/source/i/itsdangerous/itsdangerous-0.24.tar.gz
http://pypi.python.org/packages/source/t/testrepository/testrepository-0.0.20.tar.gz
https://dianne.skoll.ca/projects/rp-pppoe/download/OLD/rp-pppoe-3.12.tar.gz

HTTP 404

http://ftp.debian.org/debian/pool/main/t/ttf-arphic-uming/ttf-arphic-uming_0.2.20080216.1.orig.tar.gz
https://releases.pagure.org/cmake-fedora/cmake-fedora-2.9.3-Source.tar.gz
http://ftp.de.debian.org/debian/pool/main/c/console-setup/console-setup_1.194.tar.xz
https://downloads.sourceforge.net/project/cscope/cscope/15.9/cscope-15.9.tar.gz
http://ftp.debian.org/debian/pool/main/d/debootstrap/debootstrap_1.0.123.tar.gz
https://people.redhat.com/heinzm/sw/dmraid/src/dmraid-1.0.0.rc16.tar.bz2
https://doxygen.nl/files/doxygen-1.9.3.src.tar.gz
http://ftp.debian.org/debian/pool/main/d/dpkg/dpkg_1.20.10.tar.xz
https://github.com/grondo/edac-utils/archive/refs/tags/edac-utils-0.16.tar.bz2
https://github.com/ofiwg/libfabric/releases/download/v1.12.0rc1/fabtests-1.12.0rc1.tar.bz2
http://www.speech.cs.cmu.edu/flite/packed/flite-1.3/flite-1.3-release.tar.gz
http://download.services.openoffice.org/contrib/dictionaries/cy_GB.zip
https://addons.mozilla.org/firefox/downloads/file/84397/fijian_spelling_dictionary-1.2-fx+tb+sm.xpi
https://addons.mozilla.org/firefox/downloads/file/499875/frysk_wurdboek-3.0.0-tb+fx+sm.xpi
https://addons.mozilla.org/firefox/downloads/file/248540/hawaiian_spell_checker-0.03-tb+fx+fn+sm.xpi
https://addons.mozilla.org/firefox/downloads/file/108895/litreoir_hiligaynon-0.14-tb+fx+sm.xpi
https://addons.mozilla.org/firefox/downloads/file/113003/upper_sorbian_spelling_dictionary-0.0.20060327.3-tb+fx+sm.xpi
http://download.services.openoffice.org/contrib/dictionaries/id_ID.zip
http://download.services.openoffice.org/contrib/dictionaries/mg_MG.zip
http://download.services.openoffice.org/contrib/dictionaries/mi_NZ.zip
http://download.services.openoffice.org/contrib/dictionaries/mk_MK.zip
http://download.services.openoffice.org/contrib/dictionaries/ms_MY.zip
http://download.services.openoffice.org/contrib/dictionaries/rw_RW.zip
http://download.services.openoffice.org/contrib/dictionaries/sl_SI.zip
http://www.it46.se/downloads/openoffice/dictionary/dictionary_myspell_sw_TZ_1.1.tar.gz
http://download.services.openoffice.org/contrib/dictionaries/tet_ID.zip
http://download.services.openoffice.org/contrib/dictionaries/th_TH.zip
http://download.services.openoffice.org/contrib/dictionaries/tl_PH.zip
https://addons.mozilla.org/firefox/downloads/file/347396/tswana_spell_checker-20150904-sm+tb+fx+an+fn.xpi
https://addons.mozilla.org/firefox/downloads/file/376225/tsonga_spell_checker-20110323.1-typefix-fn+sm+tb+fx.xpi
http://download.services.openoffice.org/contrib/dictionaries/hyph_da_DK.zip
http://download.services.openoffice.org/contrib/dictionaries/hyph_de_DE.zip
http://download.services.openoffice.org/contrib/dictionaries/hyph_el_GR.zip
http://download.services.openoffice.org/contrib/dictionaries/hyph_ga_IE.zip
http://download.services.openoffice.org/contrib/dictionaries/hyph_id_ID.zip
http://download.services.openoffice.org/contrib/dictionaries/hyph_is_IS.zip
http://download.services.openoffice.org/contrib/dictionaries/hyph_it_IT.zip
http://download.services.openoffice.org/contrib/dictionaries/hyph_nl_NL.zip
http://download.services.openoffice.org/contrib/dictionaries/hyph_pl_PL.zip
http://download.services.openoffice.org/contrib/dictionaries/hyph_pt_PT.zip
http://download.services.openoffice.org/contrib/dictionaries/hyph_ru_RU.zip
http://download.services.openoffice.org/contrib/dictionaries/hyph_sk_SK.zip
http://download.services.openoffice.org/contrib/dictionaries/hyph_sl_SI.zip
http://download.services.openoffice.org/contrib/dictionaries/hyph_uk_UA.zip
https://github.com/definite/ibus-chewing/releases/download/1.6.1/ibus-chewing-1.6.1-Source.tar.gz
https://releases.pagure.org/ibus-sayura/ibus-rawcode-1.3.2.tar.gz
http://downloads.sourceforge.net/jfsutils/jfsutils-1.1.15.tar.gz
http://www.ladspa.org/download/ladspa_sdk_1.13.tgz
https://github.com/dparrish/libcli/archives/e60d4cca3d0e702c60ad0f9e2eecaa461baa4744.tar.gz
https://github.com/libesmtp/libESMTP/archive/refs/tags/libesmtp-1.0.6.tar.bz2
https://libhangul.googlecode.com/files/libhangul-0.1.0.tar.gz
http://libmodman.googlecode.com/files/libmodman-2.0.1.tar.gz
https://github.com/altlinux/libutempter/archive/refs/tags/libutempter-1.1.6.tar.bz2
http://wvstreams.googlecode.com/files/wvstreams-4.6.1.tar.gz
http://linuxjm.osdn.jp/man-pages-ja-20190815.tar.gz
https://marisa-trie.googlecode.com/files/marisa-0.2.4.tar.gz
http://mecab.googlecode.com/files/mecab-0.996.tar.gz
http://download.services.openoffice.org/contrib/dictionaries/thes_cs_CZ_v2.zip
http://download.services.openoffice.org/contrib/dictionaries/thes_ga_IE_v2.zip
http://download.services.openoffice.org/contrib/dictionaries/thes_ne_NP_v2.zip
http://download.services.openoffice.org/contrib/dictionaries/thes_pt_PT_v2.zip
http://downloads.sourceforge.net/ispell-uk/spell-uk-1.6.5.tgz
https://caml.inria.fr/pub/distrib/ocaml-4.13.1/ocaml-4.13.1.tar.xz
https://gitlab.linphone.org/BC/public/ortp/-/archive/0.23.0/ortp-0.23.0.tar.gz
https://cpan.metacpan.org/authors/id/S/SU/SUMMER/Image-Xbm-1.10.tar.gz
https://cpan.metacpan.org/authors/id/S/SU/SUMMER/Image-Xpm-1.13.tar.gz
http://snmp-session.googlecode.com/files/SNMP_Session-1.13.tar.gz
https://cpan.metacpan.org/authors/id/R/RG/RGARCIA/Switch-2.17.tar.gz
https://cpan.metacpan.org/authors/id/G/GA/GAAS/Unicode-String-2.10.tar.gz
https://github.com/vathpela/pesign/releases/download/0.112/pesign-0.112.tar.bz2
https://github.com/baszoetekouw/pinfo/archive/refs/tags/pinfo-0.6.10.tar.bz2
http://downloads.sourceforge.net/opensc/pkcs11-helper-1.22.tar.bz2
https://github.com/stratis-storage/hs-dbus-signature/archive/v0.06/hs-dbus-signature-0.06.tar.gz
https://files.pythonhosted.org/packages/source/s/paramiko/python-should_dsl-2.1.2.tar.gz
https://download.qt.io/official_releases/qt/5.12/5.12.11/submodules/qtbase-everywhere-src-5.12.11.tar.xz
https://download.qt.io/official_releases/qt/5.14/5.14.2/submodules/qtconnectivity-everywhere-src-5.14.2.tar.xz
https://download.qt.io/official_releases/qt/5.12/5.12.5/submodules/qtdeclarative-everywhere-src-5.12.5.tar.xz
https://download.qt.io/official_releases/qt/5.14/5.14.2/submodules/qtsensors-everywhere-src-5.14.2.tar.xz
https://download.qt.io/official_releases/qt/5.12/5.12.11/submodules/qtsvg-everywhere-src-5.12.11.tar.xz
https://download.qt.io/official_releases/qt/5.12/5.12.5/submodules/qttools-everywhere-src-5.12.5.tar.xz
https://ftp.samba.org/pub/samba/samba-4.12.5.tar.gz
https://www.riverbankcomputing.com/static/Downloads/sip/4.19.21/sip-4.19.21.tar.gz
https://bitbucket.org/asomov/snakeyaml/get/snakeyaml-1.25.tar.bz2
https://www.stunnel.org/downloads/stunnel-5.56.tar.gz
https://github.com/varnish/varnish-modules/releases/download/varnish-modules-0.16.0/varnish-modules-0.16.0.tar.gz
http://ftp.debian.org/debian/pool/main/w/whois/whois_5.5.7.tar.xz
http://wvstreams.googlecode.com/files/wvdial-1.61.tar.gz
https://www.zlib.net/zlib-1.2.12.tar.xz

HTTP 410

https://bintray.com/artifact/download/pcp/source/pcp-5.1.1.src.tar.gz

HTTP 500

http://www.abcburkina.net/ancien/documents/lingu/DicoMoore.zip

[247arjun]

List of valid insecure (HTTP) links

http://archive.apache.org/dist/commons/codec/source/commons-codec-1.15-src.tar.gz
http://archive.apache.org/dist/commons/collections/source/commons-collections4-4.1-src.tar.gz
http://archive.apache.org/dist/commons/compress/source/commons-compress-1.19-src.tar.gz
http://archive.apache.org/dist/commons/lang/source/commons-lang-2.6-src.tar.gz
http://archive.apache.org/dist/commons/net/source/commons-net-3.6-src.tar.gz
http://ftp.netfilter.org/pub/arptables/arptables-0.0.5.tar.gz
http://download.augeas.net/augeas-1.12.0.tar.gz
http://kldp.net/baekmuk/release/865-baekmuk-ttf-2.2.tar.gz
http://archive.apache.org/dist/commons/bcel/source/bcel-5.2-src.tar.gz
http://cal10n.qos.ch/dist/cal10n-0.7.7.tar.gz
http://www.lua.org/ftp/lua-5.1.5.tar.gz
http://www.etallen.com/cpuid/cpuid-20200427.src.tar.gz
http://download.openvz.org/criu/criu-3.15.tar.bz2
http://www.dechifro.org/dcraw/archive/dcraw-9.28.0.tar.gz
http://www.pell.portland.or.us/~orc/Code/discount/discount-2.2.4.tar.bz2
http://fy.chalmers.se/~appro/linux/DVD+RW/tools/dvd+rw-tools-7.1.tar.gz
http://www.abisource.com/downloads/enchant/1.6.0/enchant-1.6.0.tar.gz
http://ftp.astron.com/pub/file/file-5.40.tar.gz
http://ftp.linux.org.uk/pub/linux/Networking/netkit/bsd-finger-0.17.tar.gz
http://ftp.gnu.org/gnu/freeipmi/freeipmi-1.6.6.tar.gz
http://ftp.gnu.org/gnu/gmp/gmp-6.2.1.tar.xz
http://ftp.frugalware.org/pub/other/sources/gnu.regexp/gnu.regexp-1.1.4.tar.gz
http://ftp.gnu.org/gnu/gperf/gperf-3.1.tar.gz
http://ftp.gnu.org/gnu/gsl/gsl-2.6.tar.gz
http://www.haproxy.org/download/2.4/src/haproxy-2.4.13.tar.gz
http://ftp.debian.org/debian/pool/main/h/hardening-wrapper/hardening-wrapper_2.6.tar.xz
http://rigaux.org/hexedit-1.2.13.src.tgz
http://downloads.puppetlabs.com/hiera/hiera-3.7.0.tar.gz
http://www.andre-simon.de/zip/highlight-3.54.tar.bz2
http://www.cs.ru.nl/~biniam/geez/dict/am_ET.zip
http://www.moheb.de/download/dict-cop_EG_v03.oxt
http://ftp.gnu.org/gnu/aspell/dict/csb/aspell6-csb-0.02-0.tar.bz2
http://hunspell.chv.su/files/Chuvash_Spell-1.06.oxt
http://ispell.math.upatras.gr/files/ooffice/el_GR-0.9.zip
http://www.esperantilo.org/literumilo-fontoj.tar.gz
http://www.meso.ee/~jjpp/speller/ispell-et_20030606.tar.gz
http://ftp.gnu.org/gnu/aspell/dict/gv/aspell-gv-0.50-0.tar.bz2
http://cvs.linux.hr/spell/myspell/hr_HR.zip
http://ftp.gnu.org/gnu/aspell/dict/ky/aspell6-ky-0.01-0.tar.bz2
http://downloads.spellchecker.lu/packages/OOo3/SpellcheckerLu.oxt
http://www.sk-spell.sk.cx/files/hunspell-sk-20110228.zip
http://www.shkenca.org/shkarkime/myspell-sq_AL-1.6.4.zip
http://www.cs.ru.nl/~biniam/geez/dict/ti_ER.zip
http://tango.freedesktop.org/releases/icon-naming-utils-0.8.90.tar.bz2
http://www.ex-parrot.com/~pdw/iftop/download/iftop-1.0pre4.tar.gz
http://guichaz.free.fr/iotop/files/iotop-0.6.tar.gz
http://ftp.altlinux.org/pub/people/legion/kbd/kbd-2.2.0.tar.xz
http://www.nlnetlabs.nl/downloads/ldns/ldns-1.7.0.tar.gz
http://lftp.yar.ru/ftp/lftp-4.9.2.tar.xz
http://0pointer.de/lennart/projects/libasyncns/libasyncns-0.8.tar.gz
http://0pointer.de/public/libatasmart-0.19.tar.xz
http://ftp.gnu.org/gnu/libcdio/libcdio-2.0.0.tar.gz
http://ftp.gnu.org/gnu/libcdio/libcdio-paranoia-10.2+2.0.0.tar.bz2
http://cvs.schmorp.de/libecb/?view=tar&pathrev=rxvt-unicode-rel-9_30
http://dist.schmorp.de/libev/Attic/libev-4.33.tar.gz
http://www.citi.umich.edu/projects/nfsv4/linux/libgssglue/libgssglue-0.4.tar.gz
http://ftp.de.debian.org/debian/pool/main/libl/liblockfile/liblockfile_1.14.orig.tar.gz
http://dist.schmorp.de/liblzf/liblzf-3.6.tar.gz
http://www.cabextract.org.uk/libmspack/libmspack-0.10.1alpha.tar.gz
http://ftp.debian.org/debian/pool/main/libp/libpaper/libpaper_1.1.28.tar.gz
http://ftp.gnu.org/gnu/libsigsegv/libsigsegv-2.11.tar.gz
http://snowball.tartarus.org/dist/libstemmer_c.tgz
http://ftp.gnu.org/gnu/libtool/libtool-2.4.6.tar.xz
http://ftp.gnu.org/gnu/libunistring/libunistring-0.9.10.tar.xz
http://xmlsoft.org/sources/libxslt-1.1.34.tar.gz
http://sg.danny.cz/scsi/lsscsi-0.32.tar.xz
http://www.ltrace.org/ltrace_0.7.3.orig.tar.bz2
http://www.inf.puc-rio.br/~roberto/lpeg/lpeg-1.0.2.tar.gz
http://www.oberhumer.com/opensource/lzo/download/lzo-2.10.tar.gz
http://download-mirror.savannah.gnu.org/releases/m17n/m17n-db-1.8.0.tar.gz
http://projectmallard.org/download/mallard-rng-1.1.0.tar.bz2
http://tropikhajma.sweb.cz/man-pages-cs/man-pages-cs-0.18.20090209.tar.lzma
http://ditec.um.es/~piernas/manpages-es/man-pages-es-1.55.tar.bz2
http://archive.apache.org/dist/maven/plugins/maven-compiler-plugin-3.8.1-source-release.zip
http://ftp.midnight-commander.org/mc-4.8.27.tar.xz
http://glaros.dtc.umn.edu/gkhome/fetch/sw/metis/metis-5.1.0.tar.gz
http://esperanto.mv.ru/Download/dict-eo.oxt
http://data.opentaal.org/opentaalbank/thesaurus/download/thes_nl.oxt
http://www.sk-spell.sk.cx/thesaurus/download/OOo-Thesaurus2-sk_SK.zip
http://88.200.20.8:85/download/thes_sl_SI_v2.zip
http://iij.dl.osdn.jp/nkf/64158/nkf-2.1.4.tar.gz
http://download.camlcity.org/download/findlib-1.8.1.tar.gz
http://dict.dv.lv/download/lv_LV-1.0.0.oxt
http://archive.apache.org/dist/jakarta/oro/jakarta-oro-2.0.8.tar.gz
http://ftp.us.debian.org/debian/pool/main/o/os-prober/os-prober_1.77.tar.xz
http://www.manyfish.co.uk/pakchois/pakchois-0.4.tar.gz
http://ftp.gnu.org/gnu/parallel/parallel-20190922.tar.bz2
http://cyberelk.net/tim/data/patchutils/stable/patchutils-0.4.2.tar.xz
http://cpan.org/authors/id/S/SH/SHERZODR/Config-Simple-4.59.tar.gz
http://cpan.metacpan.org/authors/id/L/LE/LEONT/CPAN-Meta-Check-0.014.tar.gz
http://cpan.metacpan.org/authors/id/H/HA/HAARG/Devel-GlobalDestruction-XS-0.03.tar.gz
http://cpan.metacpan.org/authors/id/D/DA/DAGOLDEN/File-pushd-1.016.tar.gz
http://cpan.org/authors/id/B/BH/BHALLISSY/Font-TTF-1.06.tar.gz
http://www.cpan.org/modules/by-module/Mail/Mail-AuthenticationResults-1.20200108.tar.gz
http://cpan.metacpan.org/authors/id/S/SR/SRI/Mojolicious-8.57.tar.gz
http://cpan.metacpan.org/authors/id/R/RJ/RJBS/Sub-Exporter-0.987.tar.gz
http://download.pear.php.net/package/PEAR-1.10.13.tgz
http://www.icculus.org/physfs/downloads/physfs-3.0.2.tar.bz2
http://fmv.jku.at/picosat/picosat-965.tar.gz
http://ftp.rpm.org/popt/releases/popt-1.x/popt-1.18.tar.gz
http://cyberelk.net/tim/data/portreserve/stable/portreserve-0.0.5.tar.bz2
http://seb.dbzteam.org/pub/pyinotify/releases/pyinotify-0.9.6.tar.gz
http://www.infradead.org/~mchehab/rasdaemon/rasdaemon-0.6.4.tar.bz2
http://ftp.rpm.org/releases/rpm-4.18.x/rpm-4.18.0.tar.bz2
http://0pointer.de/public/rtkit-0.11.tar.xz
http://download.augeas.net/ruby/ruby-augeas-0.5.0.tgz
http://ftp.linux.org.uk/pub/linux/Networking/netkit/netkit-rusers-0.17.tar.gz
http://sg.danny.cz/sg/p/sdparm-1.11.tgz
http://www.dest-unreach.org/socat/download/socat-1.7.4.3.tar.gz
http://www.lcdf.org/~eddietwo/type/t1utils-1.42.tar.gz
http://ftp.gnu.org/gnu/texinfo/texinfo-6.8.tar.xz
http://fallabs.com/tokyocabinet/tokyocabinet-1.4.48.tar.gz
http://mama.indstate.edu/users/ice/tree/src/tree-1.8.0.tgz
http://www.unicode.org/copyright.html
http://www.unicode.org/Public/zipped/13.0.0/UCD.zip
http://www.unixodbc.org/unixODBC-2.3.9.tar.gz
http://www.and.org/ustr/1.0.4/ustr-1.0.4.tar.bz2
http://varnish-cache.org/_downloads/varnish-6.4.0.tgz
http://ftp.gnu.org/gnu/which/which-2.21.tar.gz
http://downloads.yoctoproject.org/releases/xrestop/xrestop-0.4.tar.gz
http://ftp.invisible-island.net/archives/xterm/xterm-372.tgz

[PawelWMS]

Wow, thank you for the detailed analysis, @247arjun! We are cleaning-up the manifest entries as we go and have plans to give it a more thorough sweep, so this will help immensely!

[Malateshk007]

@247arjun, thank you for reporting the issue. We maintain individual copies of each source archive in our blob storage and the necessity to update the secure link was not a prior concern and rest assured, we are committed to resolving it promptly.