CWE-829: Inclusion of Functionality from Untrusted Control Sphere

All of these build files include resolving dependencies over HTTP instead of HTTPS. Any of these artifacts could have been MITM to maliciously compromise them and infect the build artifacts that were produced. Additionally, if any of these JAR files were compromised, any developers using these could continue to be infected past updating to fix this.

This vulnerability has a CVSS v3.0 Base Score of 8.1/10
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

This isn't just theoretical; POC code exists already to maliciously compromise jar file inflight.

See:

• https://max.computer/blog/how-to-take-over-the-computer-of-any-java-or-clojure-or-scala-developer/
• https://github.com/mveytsman/dilettante

To fix: Update your build.gradle so that artifacts are resolved over HTTPS instead of HTTP.

"on hold" more or less until JEI's maven repo either allows for a secure connection or is hosted somewhere else that allows for that..

There's seemingly at least some movement to move to HTTPS on the last maven repository i'm waiting on, however this is with that kinda resolved. Will keep an eye on it and switch as soon as it's available through more secure means. Sharing the same opinion as KingLemming from the issue posted on CoFH/Feedback about the same thing.
Closing this as i don't deem it necessary to keep it open.