Thanks, Stefan. Meanwhile, SpotBugs is reactivated in the nighlies now. I noticed, however, that execution order is important: if SpotBugs runs before Checkstyle, the latter bails out because of ANTLR.
Gintas 2018-06-08 20:42 GMT+02:00 Stefan Bodewig <bode...@apache.org>: > On 2018-06-08, Gintautas Grigelionis wrote: > > > Then I was surprised that Dependency Check indicates that the latest > > XZ 1.8 has a vulnerability: should we ask them to investigate? > > That's a false positive. > > https://www.cvedetails.com/cve/CVE-2015-4035/ applies to the command > line tooling and is not related to XZ for Java at all. > > Stefan > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org > For additional commands, e-mail: dev-h...@ant.apache.org > >