This is an automated email from the ASF dual-hosted git repository.
gk pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/turbine-parent.git
The following commit(s) were added to refs/heads/master by this push:
new 29f98cd fix configuration params, update plugins:
log4j2,jacoco,dependency-check (owasp),spotbugs,javadoc,pmd,project-info. Add
maven enforcer and set minimum maven version to 3.3.9 (required for spotbug).
Add checksum plugin to generate sha512for assembly artefacts excluding main
artifact
29f98cd is described below
commit 29f98cd51ad3739cc8322d2660de25c11d690915
Author: Georg Kallidis <[email protected]>
AuthorDate: Tue Jan 4 10:56:06 2022 +0100
fix configuration params, update plugins: log4j2,jacoco,dependency-check
(owasp),spotbugs,javadoc,pmd,project-info. Add maven enforcer and set minimum
maven version to 3.3.9 (required for spotbug). Add checksum plugin to generate
sha512for assembly artefacts excluding main artifact
---
README.md | 5 ++++
pom.xml | 76 ++++++++++++++++++++++++++++++++++---------------
src/changes/changes.xml | 10 +++++--
3 files changed, 66 insertions(+), 25 deletions(-)
diff --git a/README.md b/README.md
index 78209d8..3222fe0 100644
--- a/README.md
+++ b/README.md
@@ -13,6 +13,11 @@ This is the parent for Turbine-Core, Site and most of
Fulcrum components and inh
- Check turbine-parent-assembly module dependency, which overwrites Apache
module (still needed in 2017)
+- Check versions with Maven Versions Plugin:
+
+ - mvn versions:display-plugin-updates
+ - mvn versions:display-property-updates
+
## RELEASE
- Normally, this module (and turbine-parent-assembly) could be released lazily
(add [LAZY][VOTE] in release voting phase).
diff --git a/pom.xml b/pom.xml
index 81d4139..3bffdc5 100644
--- a/pom.xml
+++ b/pom.xml
@@ -103,7 +103,7 @@
<quiet>true</quiet>
<source>8</source>
<encoding>${turbine.encoding}</encoding>
- <docEncoding>${turbine.docEncoding}</docEncoding>
+ <docencoding>${turbine.docEncoding}</docencoding>
<notimestamp>true</notimestamp>
<links>
<link>${turbine.javadoc.java.link}</link>
@@ -185,6 +185,26 @@
</execution>
</executions>
</plugin>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-enforcer-plugin</artifactId>
+ <version>3.0.0</version>
+ <executions>
+ <execution>
+ <id>enforce-maven</id>
+ <goals>
+ <goal>enforce</goal>
+ </goals>
+ <configuration>
+ <rules>
+ <requireMavenVersion>
+ <version>3.3.9</version>
+ </requireMavenVersion>
+ </rules>
+ </configuration>
+ </execution>
+ </executions>
+ </plugin>
</plugins>
</pluginManagement>
<plugins>
@@ -298,7 +318,7 @@
<quiet>true</quiet>
<source>${maven.compiler.source}</source>
<encoding>${turbine.encoding}</encoding>
- <docEncoding>${turbine.docEncoding}</docEncoding>
+ <docencoding>${turbine.docEncoding}</docencoding>
<notimestamp>true</notimestamp>
<linksource>true</linksource>
<links>
@@ -316,7 +336,7 @@
<!-- generate the PMD reports -->
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-pmd-plugin</artifactId>
- <version>3.14.0</version>
+ <version>3.15.0</version>
<configuration>
<minimumTokens>200</minimumTokens>
<!--linkXref>true</linkXref -->
@@ -338,7 +358,6 @@
<version>${turbine.project-info.version}</version>
<configuration>
<dependencyDetailsEnabled>false</dependencyDetailsEnabled>
- <dependencyLocationsEnabled>false</dependencyLocationsEnabled>
</configuration>
</plugin>
<plugin>
@@ -412,10 +431,28 @@
<plugin>
<artifactId>maven-install-plugin</artifactId>
<configuration>
- <createChecksum>true</createChecksum>
</configuration>
</plugin>
<plugin>
+ <groupId>net.nicoulaj.maven.plugins</groupId>
+ <artifactId>checksum-maven-plugin</artifactId>
+ <version>1.11</version>
+ <configuration>
+ <algorithms>
+ <algorithm>SHA-512</algorithm>
+ </algorithms>
+ <!-- generate only sha for binaries and source zip/tar files
from assembly -->
+ <excludeMainArtifact>true</excludeMainArtifact>
+ </configuration>
+ <executions>
+ <execution>
+ <goals>
+ <goal>artifacts</goal>
+ </goals>
+ </execution>
+ </executions>
+ </plugin>
+ <plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-assembly-plugin</artifactId>
<dependencies>
@@ -446,7 +483,7 @@
<descriptorRef>binaries-default</descriptorRef>
<descriptorRef>source-default</descriptorRef>
</descriptorRefs>
- <tarLongFileFormat>gnu</tarLongFileFormat>
+ <tarLongFileMode>gnu</tarLongFileMode>
</configuration>
</execution>
</executions>
@@ -480,7 +517,7 @@
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
- <!-- - find all configuration parameters here:
https://jeremylong.github.io/DependencyCheck/dependency-check-maven/.
+ <!-- Find all configuration parameters here:
https://jeremylong.github.io/DependencyCheck/dependency-check-maven/.
- if process hangs up, check or remove all files including
odc.mv.db in maven
repo in folder org/owasp/dependency-check-data/4.0/, if
mvn version > 3.3.
For older version try to check v3.2.1 or 3.1.2 -->
@@ -495,8 +532,6 @@
<skip>${dependency.check.skip}</skip>
<!--autoUpdate>false</autoUpdate -->
</configuration>
- <dependencies>
- </dependencies>
</plugin>
</plugins>
</build>
@@ -531,8 +566,7 @@
<jdk>[8,)</jdk>
</activation>
<properties>
- <doclint>none</doclint><!-- since javadoc v.3 this is required instead
- of -Xdoclint:none -->
+ <doclint>none</doclint><!-- since javadoc v.3 this is required instead
of -Xdoclint:none -->
</properties>
</profile>
<profile>
@@ -547,16 +581,11 @@
</properties>
<reporting>
<plugins>
- <plugin>
+ <plugin>
<groupId>com.github.spotbugs</groupId>
<artifactId>spotbugs-maven-plugin</artifactId>
- <version>4.2.0</version>
+ <version>4.5.2.0</version>
<configuration>
- <dependency>
- <groupId>com.github.spotbugs</groupId>
- <artifactId>spotbugs</artifactId>
- <version>4.2.3</version>
- </dependency>
</configuration>
</plugin>
</plugins>
@@ -602,18 +631,18 @@
<turbine.compiler.version>3.8.1</turbine.compiler.version>
<turbine.surefire.version>3.0.0-M5</turbine.surefire.version>
<turbine.surefire-report.version>3.0.0-M5</turbine.surefire-report.version>
- <turbine.javadoc.version>3.2.0</turbine.javadoc.version>
+ <turbine.javadoc.version>3.3.1</turbine.javadoc.version>
<turbine.rat.version>0.13</turbine.rat.version>
<turbine.changes.version>2.12.1</turbine.changes.version>
<turbine.jxr.version>3.1.1</turbine.jxr.version>
- <turbine.project-info.version>3.0.0</turbine.project-info.version>
+ <turbine.project-info.version>3.1.2</turbine.project-info.version>
<!-- unused :
turbine.wagon-ssh.version>3.4.3</turbine.wagon-ssh.version as in
apache pom : turbine.site.version>3.9.1</turbine.site.version -->
<turbine.findbugs.version>3.0.5</turbine.findbugs.version>
- <turbine.jacoco.version>0.8.6</turbine.jacoco.version>
- <turbine.dependency.check.version>6.1.2</turbine.dependency.check.version>
+ <turbine.jacoco.version>0.8.7</turbine.jacoco.version>
+ <turbine.dependency.check.version>6.5.1</turbine.dependency.check.version>
<!-- may replace local settings -->
- <turbine.log4j2.version>2.16.0</turbine.log4j2.version>
+ <turbine.log4j2.version>2.17.1</turbine.log4j2.version>
<jacoco.skip>false</jacoco.skip>
<cobertura.skip>true</cobertura.skip>
<!-- disable by default, added profile owasp, which enables it -->
@@ -638,6 +667,7 @@
<!-- build meta inf -->
<maven.build.timestamp.format>yyyy-MM-dd
HH:mm:ssZ</maven.build.timestamp.format>
+ <!-- requires build plugin -->
<implementation.build>${scmBranch}@r${buildNumber};${maven.build.timestamp}</implementation.build>
<!-- scm publish plugin configuration -->
diff --git a/src/changes/changes.xml b/src/changes/changes.xml
index a23ed59..6a2c944 100644
--- a/src/changes/changes.xml
+++ b/src/changes/changes.xml
@@ -24,12 +24,18 @@
</properties>
<body>
- <release version="10" date="in version control">
+ <release version="10" date="in version control">
+ <action dev="gk" type="fix" date="2022-01-103">
+ - Security patch CVE-2021-44832, CVE-2021-45105: update log4j2 to
2.17.1
+ </action>
+ <action dev="gk" type="fix" date="2021-12-15">
+ - Security patch CVE-2021-44228, CVE-2021-45046: update log4j2 to
2.16.0
+ </action>
<action dev="gk" type="update" date="2021-12-13">
- activate dependency check/scan in profile apache-release only.
</action>
<action dev="gk" type="update" date="2021-12-13">
- - site with github banner
+ - site with github banner and maven-fluido-skin 1.9
</action>
<action dev="gk" type="fix" date="2021-12-11">
- Security patch CVE-2021-44228, update log4j2 to 2.15.0
