This is an automated email from the ASF dual-hosted git repository. pottlinger pushed a commit to branch asf-site in repository https://gitbox.apache.org/repos/asf/creadur-site.git
commit b235660b403d10e9a9e5f8919acc176f7041e2b7 Author: P. Ottlinger <[email protected]> AuthorDate: Wed Mar 11 23:48:43 2026 +0100 RAT-530: Add new release notes --- release-notes/RELEASE-NOTES-018.txt | 134 ++++++++++++++++++++++++++++++++++++ 1 file changed, 134 insertions(+) diff --git a/release-notes/RELEASE-NOTES-018.txt b/release-notes/RELEASE-NOTES-018.txt new file mode 100644 index 000000000..0fe8c62ef --- /dev/null +++ b/release-notes/RELEASE-NOTES-018.txt @@ -0,0 +1,134 @@ + Apache Creadur RAT 0.18 + RELEASE NOTES + +The Apache Creadur RAT team is pleased to announce the release of Apache Creadur RAT 0.18 + +Apache RAT is a release audit tool. It improves accuracy and efficiency when checking +releases. It is heuristic in nature: making guesses about possible problems. It +will produce false positives and cannot find every possible issue with a release. +Its reports require interpretation. + +In response to demands from project quality tool developers, RAT is available as a +library suitable for inclusion in tools. This POM describes that library. +Note that binary compatibility is not guaranteed between 0.x releases. + +Apache RAT is developed by the Apache Creadur project, a language and build +agnostic home for software distribution comprehension and audit tools. + +=RELEASE 0.18 ABSTRACT= +This intermediate release addresses a severe performance issue encountered during RAT runs in version 0.17. +The issue has been resolved by reducing the sample size used for Tika charset detection +from 12,000 bytes to 256 bytes (thanks to Ryan Schmitt). + +In addition, the Java language level required to build RAT has been raised to 17. +However, we recommend using at least JDK 21 due to a Javadoc issue affecting certain JDK versions (tracked under RAT-497). +RAT now also uses UTF-8 as its default character set. + +These changes allowed us to adopt more modern language features, resolve numerous CVEs in dependent plugins and libraries, +and integrate with SonarCloud’s code analysis. + +This release also includes a range of bug fixes, minor improvements, and dependency updates. +Furthermore, RAT’s generated report is now produced in XHTML5, and excessive INFO-level logging in the Maven plugin has been reduced. + +Many thanks to all contributors and to our users for their valuable feedback. + +Changes in this version include: + +New features: +o RAT-440: Upgrade to doxia 2.0.0 and generate XHTML5 reports during RAT runs (fixes multiple CVEs implicitly). + Thanks to guptas6est. +o RAT-475, RAT-533: Speedup tests and avoid garbage collection workaround by changing to CleanupMode.NONE in jUnit's TempDir usages. + Thanks to Ryan Schmitt. +o RAT-293: Add integration of RAT into SonarCloud analysis now that JDK8 is dropped + and generate a test coverage report with JaCoCo. +o RAT-478: Due to the switch to Java17 language level we use UTF-8 as default charset to process configuration + and exclusion configuration files within RAT. +o RAT-478: Switch to Java17 language level in Creadur RAT. Due to RAT-497 we cannot generate Javadocs/the site + with JDK17, thus use JDK21 to build the project. +o RAT-524: Fixes case-sensitive detection time of underlying file system and removed MAVEN StandardCollection + from default Maven processing to improve overall processing time. +o RAT-504: Provide a migration guide to specific RAT versions for downstream users. +o RAT-513: Introduce new standard exclusion collection for Gradle projects. Thanks to Robert Stupp. +o RAT-501: Changed '/.externalToolBuilders' to '/.externalToolBuilders/**' in the ECLIPSE standard exclusion list + and added '**/bin/**' to ignore generated binary folders in Eclipse IDE. Thanks to pottlinger. + +Fixed Bugs: +o RAT-533: Reduce sample size of charset detection from 12000 to 256 byte (Tika) to increase I/O performance of RAT scans. + Thanks to Ryan Schmitt. +o RAT-531: Fix NPE that license families is null if licenses are defined manually, reported by huangxiaoping from Hudi. + Thanks to huangxiaoping. +o RAT-512: Bugfix to mark PDF files as binary instead of standard files as they do not contain licenses. + Thanks to Niels Basjes. +o RAT-526: New version of maven-resources-plugin does not by default include hidden files, adapt our test setup accordingly. +o RAT-490: Update commons-lang3 to 3.20.0 to avoid deprecation warnings when building with JDK25 + (Use of the three-letter time zone ID 'ACT' is deprecated and it will be removed in a future release). + Thanks to Lenny Primark. +o RAT-497: Fix javadoc generation problem with JDK17 (javadoc:javadoc) by removing reference to method itself and + fix other javadoc errors in IXmlWriter, but combined javadoc/site build still fails with certain JDK versions. +o RAT-500: Do not throw an exception if no arguments are provided in CLI, encourage to use --help instead. +o RAT-507: Fix CopyrightMatcher parsing issues if input contains non-space or formatting characters. +o RAT-501: Fix pom configuration issues from migration to using RAT 0.17. + +Changes: +o RAT-498: Update assertj from 3.27.6 to 4.0.0-M1 and use bom for dependency management. +o RAT-498: Update plexus-utils from 3.5.1 to 3.6.0. +o RAT-498: Update exec-maven-plugin from 3.6.1 to 3.6.3. +o RAT-498: Update junit from 5.13.4 to 6.1.0-M1. +o RAT-498: Update mockito from 4.11.0 to 5.22.0 and use bom for dependency management. +o RAT-498: Update tika from 2.9.4 to 3.2.3 due to CVE-2025-66516. +o RAT-508: Removed excess INFO logging in Maven plugin. + Run with -X or use the verbose option in order to see output on debug level. + Thanks to Gary D. Gregory. +o RAT-498: Update Maven wrapper to v3.9.13. +o RAT-498: Update org.codehaus.plexus:plexus-testing from 1.6.0 to 2.1.0. Thanks to dependabot. +o RAT-498: Update maven-antrun-plugin from 3.1.0 to 3.2.0. Thanks to dependabot. +o RAT-498: Update actions/upload-artifact from 4 to 7. Thanks to dependabot. +o RAT-498: Update maven-plugin-annotations, maven-plugin-plugin and maven-plugin-report-plugin from 3.15.1 to 3.15.2. Thanks to dependabot. +o RAT-498: Update plugin-testing-harness from 3.3.0 to 3.5.1. Thanks to dependabot. +o RAT-498: Update develocity-maven-extension from 2.2 to 2.3.4. Thanks to dependabot. +o RAT-498: Update commons-io from 2.20.0 to 2.21.0. Thanks to dependabot. +o RAT-498: Update actions/checkout from 5 to 6. Thanks to dependabot. +o RAT-498: Update taglist-maven-plugin from 3.2.1 to 3.2.2. Thanks to dependabot. +o RAT-498: Update maven-resources-plugin from 3.3.1 to 3.5.0. Thanks to dependabot. +o RAT-498: Update commons-text from 1.14.0 to 1.15.0. Thanks to dependabot. +o RAT-498: Update actions/cache from 4 to 5. Thanks to dependabot. +o RAT-498: Update ASF parent pom org.apache:apache from 35 to 37 and minimum required Maven version set to 3.9. Thanks to dependabot. +o RAT-498: Update animal-sniffer-plugin from 1.26 to 1.27. Thanks to dependabot. +o RAT-498: Update maven-compiler-plugin from 3.14.1 to 3.15.0. Thanks to dependabot. +o RAT-498: Update maven-dependency-plugin from 3.9.0 to 3.10.0. Thanks to dependabot. +o RAT-498: Update maven-surefire-plugin from 3.5.4 to 3.5.5. Thanks to dependabot. +o RAT-498: Update maven-failsafe-plugin from 3.5.4 to 3.5.5. Thanks to dependabot. + +Historical list of changes: https://creadur.apache.org/rat/changes.html + +For complete information on Apache Creadur RAT, including instructions on how to submit bug reports, +patches, or suggestions for improvement, see the Apache Apache Creadur RAT website: + +https://creadur.apache.org/rat/ + +Historical list of changes: https://creadur.apache.org/rat/changes.html + +Known issues: https://creadur.apache.org/rat/apache-rat/known_issues.html + +Migration guide: https://creadur.apache.org/rat/apache-rat/migration-guide.html + +=WEBPAGE= +For complete information on Apache Creadur RAT, including instructions on how to submit bug reports, +patches, or suggestions for improvement, see the Apache Creadur RAT website: + +https://creadur.apache.org/rat/ + +=DOWNLOAD= +Direct download (source, binary and signature files) can be found here: +https://creadur.apache.org/rat/download_rat.cgi + +=VERIFICATION= +The KEYS file https://downloads.apache.org/creadur/KEYS links to the code signing keys used to sign the product: +https://creadur.apache.org/rat/download_rat.cgi + +The PGP link downloads the OpenPGP compatible signature. +The SHA512 links download the checksum. + +Enjoy and thanks for your patience! + +-The Apache Creadur team
