This is an automated email from the ASF dual-hosted git repository.
claude pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/creadur-rat.git
The following commit(s) were added to refs/heads/master by this push:
new 9aa438a2 RAT-440: Upgrade Doxia to 2.0.0 to fix CVEs: CVE-2025-48924,
CVE-2020-10683, CVE-2018-1000632, CVE-2020-13936 and CVE-2020-13959 (#553)
9aa438a2 is described below
commit 9aa438a22fc1a74f01387873316fce1fab36dd46
Author: guptas6est <[email protected]>
AuthorDate: Tue Nov 18 17:07:54 2025 +0000
RAT-440: Upgrade Doxia to 2.0.0 to fix CVEs: CVE-2025-48924,
CVE-2020-10683, CVE-2018-1000632, CVE-2020-13936 and CVE-2020-13959 (#553)
* Upgrade Doxia to 2.0.0 to fix CVEs: CVE-2025-48924, CVE-2020-10683,
CVE-2018-1000632, CVE-2020-13936 and CVE-2020-13959
* RAT-440: Upgrade Doxia to 2.0.0 to fix CVEs: CVE-2025-48924,
CVE-2020-10683, CVE-2018-1000632, CVE-2020-13936 and CVE-2020-13959
---
apache-rat-plugin/pom.xml | 59 ++++++--
.../main/java/org/apache/rat/mp/RatReportMojo.java | 159 ++++++++++++++-------
.../java/org/apache/rat/mp/RatTestHelpers.java | 11 +-
apache-rat-tools/src/main/resources/Maven.tpl | 2 +-
src/site/markdown/development/ui/generator.md | 2 +-
5 files changed, 162 insertions(+), 71 deletions(-)
diff --git a/apache-rat-plugin/pom.xml b/apache-rat-plugin/pom.xml
index 310ca7e7..d047c435 100644
--- a/apache-rat-plugin/pom.xml
+++ b/apache-rat-plugin/pom.xml
@@ -26,15 +26,14 @@
<packaging>maven-plugin</packaging>
<name>Apache Creadur RAT::Plugin4Maven</name>
<description>A plugin for Apache Maven that runs Apache RAT
- to audit the source to be distributed.</description>
+ to audit the source to be distributed.</description>
<inceptionYear>2007</inceptionYear>
<prerequisites>
<maven>${mavenMinVersion}</maven>
</prerequisites>
<properties>
<currentVersion>${project.version}</currentVersion>
- <doxiaVersion>1.12.0</doxiaVersion>
- <doxiaSitetoolsVersion>1.11.1</doxiaSitetoolsVersion>
+ <doxiaVersion>2.0.0</doxiaVersion>
</properties>
<build>
<resources>
@@ -376,12 +375,12 @@
</dependency>
<dependency>
<groupId>org.apache.maven.doxia</groupId>
- <artifactId>doxia-decoration-model</artifactId>
- <version>${doxiaSitetoolsVersion}</version>
+ <artifactId>doxia-site-model</artifactId>
+ <version>${doxiaVersion}</version>
</dependency>
<dependency>
<groupId>org.apache.maven.doxia</groupId>
- <artifactId>doxia-module-xhtml</artifactId>
+ <artifactId>doxia-module-xhtml5</artifactId>
<version>${doxiaVersion}</version>
</dependency>
<dependency>
@@ -392,7 +391,7 @@
<dependency>
<groupId>org.apache.maven.doxia</groupId>
<artifactId>doxia-integration-tools</artifactId>
- <version>${doxiaSitetoolsVersion}</version>
+ <version>${doxiaVersion}</version>
<exclusions>
<exclusion>
<groupId>org.codehaus.plexus</groupId>
@@ -403,7 +402,7 @@
<dependency>
<groupId>org.apache.maven.doxia</groupId>
<artifactId>doxia-site-renderer</artifactId>
- <version>${doxiaSitetoolsVersion}</version>
+ <version>${doxiaVersion}</version>
<exclusions>
<exclusion>
<groupId>org.codehaus.plexus</groupId>
@@ -414,7 +413,7 @@
<dependency>
<groupId>org.apache.maven.reporting</groupId>
<artifactId>maven-reporting-api</artifactId>
- <version>3.1.1</version>
+ <version>4.0.0</version>
</dependency>
<dependency>
<groupId>org.apache.maven.shared</groupId>
@@ -471,4 +470,46 @@
</plugin>
</plugins>
</reporting>
+ <developers>
+ <developer>
+ <id>jochen</id>
+ <name>Jochen Wiedmann</name>
+ <email>[email protected]</email>
+ </developer>
+ </developers>
+ <contributors>
+ <contributor>
+ <name>Bernd Bohmann</name>
+ <email>[email protected]</email>
+ </contributor>
+ <contributor>
+ <name>Lars Trieloff</name>
+ <email>[email protected]</email>
+ </contributor>
+ <contributor>
+ <name>Jukka Zitting</name>
+ <email>[email protected]</email>
+ </contributor>
+ </contributors>
+ <!--
+ <profiles>
+ <profile>
+ <id>apache-release</id>
+ <build>
+ <plugins>
+ <plugin>
+ <artifactId>maven-docck-plugin</artifactId>
+ <executions>
+ <execution>
+ <goals>
+ <goal>check</goal>
+ </goals>
+ </execution>
+ </executions>
+ </plugin>
+ </plugins>
+ </build>
+ </profile>
+ </profiles>
+-->
</project>
diff --git
a/apache-rat-plugin/src/main/java/org/apache/rat/mp/RatReportMojo.java
b/apache-rat-plugin/src/main/java/org/apache/rat/mp/RatReportMojo.java
index 2f883d6e..900d78f2 100644
--- a/apache-rat-plugin/src/main/java/org/apache/rat/mp/RatReportMojo.java
+++ b/apache-rat-plugin/src/main/java/org/apache/rat/mp/RatReportMojo.java
@@ -32,14 +32,13 @@ import java.util.Map;
import java.util.ResourceBundle;
import org.apache.maven.artifact.Artifact;
-import org.apache.maven.artifact.repository.ArtifactRepository;
import org.apache.maven.doxia.sink.Sink;
import org.apache.maven.doxia.sink.SinkFactory;
import org.apache.maven.doxia.sink.impl.SinkEventAttributeSet;
-import org.apache.maven.doxia.site.decoration.DecorationModel;
+import org.apache.maven.doxia.site.SiteModel;
+import org.apache.maven.doxia.siterenderer.DocumentRenderingContext;
import org.apache.maven.doxia.siterenderer.Renderer;
import org.apache.maven.doxia.siterenderer.RendererException;
-import org.apache.maven.doxia.siterenderer.RenderingContext;
import org.apache.maven.doxia.siterenderer.SiteRenderingContext;
import org.apache.maven.doxia.siterenderer.sink.SiteRendererSink;
import org.apache.maven.doxia.tools.SiteTool;
@@ -57,6 +56,8 @@ import org.apache.rat.Reporter;
import org.apache.rat.VersionInfo;
import org.apache.rat.license.LicenseSetFactory.LicenseFilter;
import org.codehaus.plexus.util.ReaderFactory;
+import org.eclipse.aether.repository.ArtifactRepository;
+import org.eclipse.aether.repository.RemoteRepository;
import static org.apache.maven.shared.utils.logging.MessageUtils.buffer;
@@ -95,9 +96,18 @@ public class RatReportMojo extends AbstractRatMojo
implements MavenMultiPageRepo
/**
* Remote repositories used for the project.
+ *
+ * @deprecated replaced by {@link #remoteRepositories}
*/
@Parameter(defaultValue = "${project.remoteArtifactRepositories}",
readonly = true, required = true)
- protected List<ArtifactRepository> remoteRepositories;
+ @Deprecated
+ protected List<ArtifactRepository> remoteArtifactRepositories;
+
+ /**
+ * Remote repositories used for the project.
+ */
+ @Parameter(defaultValue = "${project.remoteProjectRepositories}", readonly
= true, required = true)
+ protected List<RemoteRepository> remoteRepositories;
/**
* SiteTool.
@@ -152,9 +162,9 @@ public class RatReportMojo extends AbstractRatMojo
implements MavenMultiPageRepo
getSiteRenderer().copyResources(siteContext, outputDirectory);
// TODO Replace null with real value
- RenderingContext docRenderingContext = new
RenderingContext(outputDirectory, filename, null);
-
- SiteRendererSink sink = new SiteRendererSink(docRenderingContext);
+ DocumentRenderingContext docContext =
+ new DocumentRenderingContext(outputDirectory, filename,
"xhtml5");
+ SiteRendererSink sink = new SiteRendererSink(docContext);
generate(sink, null, locale);
@@ -163,12 +173,13 @@ public class RatReportMojo extends AbstractRatMojo
implements MavenMultiPageRepo
if (!outputDirectory.exists() && !outputDirectory.mkdirs()) {
getLog().error("Unable to create output directory: " +
outputDirectory);
}
-
try (Writer writer = new OutputStreamWriter(
- Files.newOutputStream(new File(outputDirectory,
filename).toPath()), getOutputEncoding())) {
+ Files.newOutputStream(new File(outputDirectory,
filename).toPath()),
+ getOutputEncoding())) {
// render report
getSiteRenderer().mergeDocumentIntoSite(writer, sink,
siteContext);
}
+
}
// copy generated resources also
@@ -179,53 +190,117 @@ public class RatReportMojo extends AbstractRatMojo
implements MavenMultiPageRepo
}
}
- private SiteRenderingContext createSiteRenderingContext(final Locale
locale) throws MavenReportException, IOException {
- DecorationModel decorationModel = new DecorationModel();
+ private SiteRenderingContext createSiteRenderingContext(final Locale
locale)
+ throws MavenReportException, IOException {
+ SiteModel siteModel = new SiteModel();
Map<String, Object> templateProperties = new HashMap<>();
- // We tell the skin that we are rendering in standalone mode
templateProperties.put("standalone", Boolean.TRUE);
templateProperties.put("project", getProject());
templateProperties.put("inputEncoding", getInputEncoding());
templateProperties.put("outputEncoding", getOutputEncoding());
- // Put any of the properties in directly into the Velocity context
for (Map.Entry<Object, Object> entry :
getProject().getProperties().entrySet()) {
templateProperties.put((String) entry.getKey(), entry.getValue());
}
- SiteRenderingContext context;
+ org.apache.maven.doxia.site.Skin siteSkin = siteModel.getSkin();
+
+ if (siteSkin == null || siteSkin.getGroupId() == null
+ || siteSkin.getArtifactId() == null || siteSkin.getVersion()
== null) {
+ getLog().debug("No skin configuration found in site.xml. Using
default Maven skin configuration.");
+
+ // Create a minimal default skin configuration
+ siteSkin = new org.apache.maven.doxia.site.Skin();
+ siteSkin.setGroupId("org.apache.maven.skins");
+ siteSkin.setArtifactId("maven-fluido-skin");
+ }
+
try {
- Artifact skinArtifact =
siteTool.getSkinArtifactFromRepository(session.getLocalRepository(),
- remoteRepositories, decorationModel);
+ Artifact skinArtifact = siteTool.getSkinArtifactFromRepository(
+ session.getRepositorySession(),
+ remoteRepositories,
+ siteSkin
+ );
getLog().debug(buffer().a("Rendering content with
").strong(skinArtifact.getId() + " skin").a('.').build());
- context = siteRenderer.createContextForSkin(skinArtifact,
templateProperties, decorationModel,
- project.getName(), locale);
+ SiteRenderingContext context = siteRenderer.createContextForSkin(
+ skinArtifact,
+ templateProperties,
+ siteModel,
+ project.getName(),
+ locale
+ );
+ context.setRootDirectory(project.getBasedir());
+ return context;
+
} catch (SiteToolException e) {
throw new MavenReportException("Failed to retrieve skin artifact",
e);
} catch (RendererException e) {
throw new MavenReportException("Failed to create context for
skin", e);
}
-
- // Generate static site
- context.setRootDirectory(project.getBasedir());
-
- return context;
}
/**
- * Generate a report.
+ * This method is called when the report generation is invoked by
+ * maven-site-plugin.
*
* @param sink the sink to use for the generation.
+ * @param sinkFactory the sink factory to use for the generation.
* @param locale the wanted locale to generate the report, could be null.
* @throws MavenReportException if any
- * @deprecated use {@link #generate(Sink, SinkFactory, Locale)} instead.
*/
- @Deprecated
@Override
- public void generate(final org.codehaus.doxia.sink.Sink sink, final Locale
locale) throws MavenReportException {
- generate(sink, null, locale);
+ public void generate(final Sink sink, final SinkFactory sinkFactory, final
Locale locale) throws MavenReportException {
+ if (!canGenerateReport()) {
+ // This report cannot be generated as part of the current build.
+ getLog().info("This report cannot be generated as part of the
current build. "
+ + "The report name should be referenced in this line of
output.");
+ } else {
+ this.sink = sink;
+ this.sinkFactory = sinkFactory;
+
+ if (!(sink instanceof SiteRendererSink)) {
+
+ generateReportManually(locale);
+ } else {
+ executeReport(locale);
+ }
+
+ closeReport();
+ }
+ }
+
+ private void generateReportManually(final Locale locale) throws
MavenReportException {
+ try {
+ File outputDir = new File(getOutputDirectory());
+ String filename = getOutputName() + ".html";
+
+ SiteRenderingContext siteContext =
createSiteRenderingContext(locale);
+
+ if (!outputDir.exists() && !outputDir.mkdirs()) {
+ getLog().error("Unable to create output directory: " +
outputDir);
+ }
+
+ DocumentRenderingContext docContext =
+ new DocumentRenderingContext(outputDir, filename,
"xhtml5");
+
+ SiteRendererSink sink = new SiteRendererSink(docContext);
+
+ this.sink = sink;
+ this.sinkFactory = null;
+
+ executeReport(locale);
+
+ try (Writer writer = new OutputStreamWriter(
+ Files.newOutputStream(new File(outputDir,
filename).toPath()),
+ getOutputEncoding())) {
+ getSiteRenderer().mergeDocumentIntoSite(writer, sink,
siteContext);
+ }
+
+ } catch (IOException | RendererException e) {
+ throw new MavenReportException("Failed to render RAT report
manually", e);
+ }
}
/**
@@ -241,32 +316,6 @@ public class RatReportMojo extends AbstractRatMojo
implements MavenMultiPageRepo
generate(sink, null, locale);
}
- /**
- * This method is called when the report generation is invoked by
- * maven-site-plugin.
- *
- * @param sink the sink to use for the generation.
- * @param sinkFactory the sink factory to use for the generation.
- * @param locale the wanted locale to generate the report, could be null.
- * @throws MavenReportException if any
- */
- @Override
- public void generate(final Sink sink, final SinkFactory sinkFactory, final
Locale locale) throws MavenReportException {
- if (!canGenerateReport()) {
- getLog().info("This report cannot be generated as part of the
current build. "
- + "The report name should be referenced in this line of
output.");
- return;
- }
-
- this.sink = sink;
-
- this.sinkFactory = sinkFactory;
-
- executeReport(locale);
-
- closeReport();
- }
-
/**
* @return CATEGORY_PROJECT_REPORTS
*/
@@ -387,7 +436,7 @@ public class RatReportMojo extends AbstractRatMojo
implements MavenMultiPageRepo
sink.paragraph_();
sink.paragraph();
- sink.verbatim(SinkEventAttributeSet.BOXED);
+ sink.verbatim(new SinkEventAttributeSet());
try {
ReportConfiguration config = getConfiguration();
config.setFrom(getDefaultsBuilder().build());
diff --git
a/apache-rat-plugin/src/test/java/org/apache/rat/mp/RatTestHelpers.java
b/apache-rat-plugin/src/test/java/org/apache/rat/mp/RatTestHelpers.java
index bb42d11e..cc8ba9d3 100644
--- a/apache-rat-plugin/src/test/java/org/apache/rat/mp/RatTestHelpers.java
+++ b/apache-rat-plugin/src/test/java/org/apache/rat/mp/RatTestHelpers.java
@@ -17,8 +17,8 @@ import org.apache.commons.io.FileUtils;
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
+ * (the "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
@@ -97,7 +97,7 @@ public final class RatTestHelpers {
}
} else if (pSource.isFile()) {
try (final FileInputStream fis = new FileInputStream(pSource);
- final FileOutputStream fos = new
FileOutputStream(pTarget)) {
+ final FileOutputStream fos = new FileOutputStream(pTarget)) {
final byte[] buffer = new byte[8192];
for (;;) {
int res = fis.read(buffer);
@@ -122,7 +122,8 @@ public final class RatTestHelpers {
* @throws Exception Creating the object failed.
*/
public static Renderer newSiteRenderer(PlexusContainer container) throws
Exception {
- return (Renderer) container.lookup(Renderer.ROLE, "default");
+ // Replaced deprecated ROLE-based lookup with type+hint lookup.
+ return container.lookup(Renderer.class, "default");
}
/**
@@ -205,4 +206,4 @@ public final class RatTestHelpers {
}
}
-}
+}
\ No newline at end of file
diff --git a/apache-rat-tools/src/main/resources/Maven.tpl
b/apache-rat-tools/src/main/resources/Maven.tpl
index 0d5d420e..13d9453e 100644
--- a/apache-rat-tools/src/main/resources/Maven.tpl
+++ b/apache-rat-tools/src/main/resources/Maven.tpl
@@ -20,7 +20,7 @@
${package}
import org.apache.commons.cli.Option;
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
import org.apache.maven.plugin.AbstractMojo;
import org.apache.maven.plugins.annotations.Parameter;
import org.apache.rat.commandline.Arg;
diff --git a/src/site/markdown/development/ui/generator.md
b/src/site/markdown/development/ui/generator.md
index 195aa231..b08559b7 100644
--- a/src/site/markdown/development/ui/generator.md
+++ b/src/site/markdown/development/ui/generator.md
@@ -83,7 +83,7 @@ The `MavenGenerator` uses a template called "Maven.tpl" that
looks like:
${package}
import org.apache.commons.cli.Option;
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
import org.apache.maven.plugin.AbstractMojo;
import org.apache.maven.plugins.annotations.Parameter;
import org.apache.rat.commandline.Arg;
