Hi!As this PR was rather old and not rebased correctly after release of RAT0.17 it misses some features that were already on master ....
e.g. the cleanup in pom.xmlApart from that the PR lacks any tests and personally I'd prefer to fail the build if no skin was configured instead of "defaulting" to hard-coded dependencies. Therefore I started some discussions that were left open on the GitHub PR.
Cheers, Phil Am 18.11.25 um 18:07 schrieb [email protected]:
This is an automated email from the ASF dual-hosted git repository. claude pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/creadur-rat.git The following commit(s) were added to refs/heads/master by this push: new 9aa438a2 RAT-440: Upgrade Doxia to 2.0.0 to fix CVEs: CVE-2025-48924, CVE-2020-10683, CVE-2018-1000632, CVE-2020-13936 and CVE-2020-13959 (#553) 9aa438a2 is described below commit 9aa438a22fc1a74f01387873316fce1fab36dd46 Author: guptas6est <[email protected]> AuthorDate: Tue Nov 18 17:07:54 2025 +0000 RAT-440: Upgrade Doxia to 2.0.0 to fix CVEs: CVE-2025-48924, CVE-2020-10683, CVE-2018-1000632, CVE-2020-13936 and CVE-2020-13959 (#553)* Upgrade Doxia to 2.0.0 to fix CVEs: CVE-2025-48924, CVE-2020-10683, CVE-2018-1000632, CVE-2020-13936 and CVE-2020-13959 * RAT-440: Upgrade Doxia to 2.0.0 to fix CVEs: CVE-2025-48924, CVE-2020-10683, CVE-2018-1000632, CVE-2020-13936 and CVE-2020-13959--- apache-rat-plugin/pom.xml | 59 ++++++-- .../main/java/org/apache/rat/mp/RatReportMojo.java | 159 ++++++++++++++------- .../java/org/apache/rat/mp/RatTestHelpers.java | 11 +- apache-rat-tools/src/main/resources/Maven.tpl | 2 +- src/site/markdown/development/ui/generator.md | 2 +- 5 files changed, 162 insertions(+), 71 deletions(-) diff --git a/apache-rat-plugin/pom.xml b/apache-rat-plugin/pom.xml index 310ca7e7..d047c435 100644 --- a/apache-rat-plugin/pom.xml +++ b/apache-rat-plugin/pom.xml @@ -26,15 +26,14 @@ <packaging>maven-plugin</packaging> <name>Apache Creadur RAT::Plugin4Maven</name> <description>A plugin for Apache Maven that runs Apache RAT - to audit the source to be distributed.</description> + to audit the source to be distributed.</description> <inceptionYear>2007</inceptionYear> <prerequisites> <maven>${mavenMinVersion}</maven> </prerequisites> <properties> <currentVersion>${project.version}</currentVersion> - <doxiaVersion>1.12.0</doxiaVersion> - <doxiaSitetoolsVersion>1.11.1</doxiaSitetoolsVersion> + <doxiaVersion>2.0.0</doxiaVersion> </properties> <build> <resources> @@ -376,12 +375,12 @@ </dependency> <dependency> <groupId>org.apache.maven.doxia</groupId> - <artifactId>doxia-decoration-model</artifactId> - <version>${doxiaSitetoolsVersion}</version> + <artifactId>doxia-site-model</artifactId> + <version>${doxiaVersion}</version> </dependency> <dependency> <groupId>org.apache.maven.doxia</groupId> - <artifactId>doxia-module-xhtml</artifactId> + <artifactId>doxia-module-xhtml5</artifactId> <version>${doxiaVersion}</version> </dependency> <dependency> @@ -392,7 +391,7 @@ <dependency> <groupId>org.apache.maven.doxia</groupId> <artifactId>doxia-integration-tools</artifactId> - <version>${doxiaSitetoolsVersion}</version> + <version>${doxiaVersion}</version> <exclusions> <exclusion> <groupId>org.codehaus.plexus</groupId> @@ -403,7 +402,7 @@ <dependency> <groupId>org.apache.maven.doxia</groupId> <artifactId>doxia-site-renderer</artifactId> - <version>${doxiaSitetoolsVersion}</version> + <version>${doxiaVersion}</version> <exclusions> <exclusion> <groupId>org.codehaus.plexus</groupId> @@ -414,7 +413,7 @@ <dependency> <groupId>org.apache.maven.reporting</groupId> <artifactId>maven-reporting-api</artifactId> - <version>3.1.1</version> + <version>4.0.0</version> </dependency> <dependency> <groupId>org.apache.maven.shared</groupId> @@ -471,4 +470,46 @@ </plugin> </plugins> </reporting> + <developers> + <developer> + <id>jochen</id> + <name>Jochen Wiedmann</name> + <email>[email protected]</email> + </developer> + </developers> + <contributors> + <contributor> + <name>Bernd Bohmann</name> + <email>[email protected]</email> + </contributor> + <contributor> + <name>Lars Trieloff</name> + <email>[email protected]</email> + </contributor> + <contributor> + <name>Jukka Zitting</name> + <email>[email protected]</email> + </contributor> + </contributors> + <!-- + <profiles> + <profile> + <id>apache-release</id> + <build> + <plugins> + <plugin> + <artifactId>maven-docck-plugin</artifactId> + <executions> + <execution> + <goals> + <goal>check</goal> + </goals> + </execution> + </executions> + </plugin> + </plugins> + </build> + </profile> + </profiles> +--> </project> diff --git a/apache-rat-plugin/src/main/java/org/apache/rat/mp/RatReportMojo.java b/apache-rat-plugin/src/main/java/org/apache/rat/mp/RatReportMojo.java index 2f883d6e..900d78f2 100644 --- a/apache-rat-plugin/src/main/java/org/apache/rat/mp/RatReportMojo.java +++ b/apache-rat-plugin/src/main/java/org/apache/rat/mp/RatReportMojo.java @@ -32,14 +32,13 @@ import java.util.Map; import java.util.ResourceBundle;import org.apache.maven.artifact.Artifact;-import org.apache.maven.artifact.repository.ArtifactRepository; import org.apache.maven.doxia.sink.Sink; import org.apache.maven.doxia.sink.SinkFactory; import org.apache.maven.doxia.sink.impl.SinkEventAttributeSet; -import org.apache.maven.doxia.site.decoration.DecorationModel; +import org.apache.maven.doxia.site.SiteModel; +import org.apache.maven.doxia.siterenderer.DocumentRenderingContext; import org.apache.maven.doxia.siterenderer.Renderer; import org.apache.maven.doxia.siterenderer.RendererException; -import org.apache.maven.doxia.siterenderer.RenderingContext; import org.apache.maven.doxia.siterenderer.SiteRenderingContext; import org.apache.maven.doxia.siterenderer.sink.SiteRendererSink; import org.apache.maven.doxia.tools.SiteTool; @@ -57,6 +56,8 @@ import org.apache.rat.Reporter; import org.apache.rat.VersionInfo; import org.apache.rat.license.LicenseSetFactory.LicenseFilter; import org.codehaus.plexus.util.ReaderFactory; +import org.eclipse.aether.repository.ArtifactRepository; +import org.eclipse.aether.repository.RemoteRepository;import static org.apache.maven.shared.utils.logging.MessageUtils.buffer; @@ -95,9 +96,18 @@ public class RatReportMojo extends AbstractRatMojo implements MavenMultiPageRepo /*** Remote repositories used for the project. + * + * @deprecated replaced by {@link #remoteRepositories} */ @Parameter(defaultValue = "${project.remoteArtifactRepositories}", readonly = true, required = true) - protected List<ArtifactRepository> remoteRepositories; + @Deprecated + protected List<ArtifactRepository> remoteArtifactRepositories; + + /** + * Remote repositories used for the project. + */ + @Parameter(defaultValue = "${project.remoteProjectRepositories}", readonly = true, required = true) + protected List<RemoteRepository> remoteRepositories;/*** SiteTool. @@ -152,9 +162,9 @@ public class RatReportMojo extends AbstractRatMojo implements MavenMultiPageRepo getSiteRenderer().copyResources(siteContext, outputDirectory);// TODO Replace null with real value- RenderingContext docRenderingContext = new RenderingContext(outputDirectory, filename, null); - - SiteRendererSink sink = new SiteRendererSink(docRenderingContext); + DocumentRenderingContext docContext = + new DocumentRenderingContext(outputDirectory, filename, "xhtml5"); + SiteRendererSink sink = new SiteRendererSink(docContext);generate(sink, null, locale); @@ -163,12 +173,13 @@ public class RatReportMojo extends AbstractRatMojo implements MavenMultiPageRepoif (!outputDirectory.exists() && !outputDirectory.mkdirs()) { getLog().error("Unable to create output directory: " + outputDirectory); } - try (Writer writer = new OutputStreamWriter( - Files.newOutputStream(new File(outputDirectory, filename).toPath()), getOutputEncoding())) { + Files.newOutputStream(new File(outputDirectory, filename).toPath()), + getOutputEncoding())) { // render report getSiteRenderer().mergeDocumentIntoSite(writer, sink, siteContext); } + }// copy generated resources also@@ -179,53 +190,117 @@ public class RatReportMojo extends AbstractRatMojo implements MavenMultiPageRepo } }- private SiteRenderingContext createSiteRenderingContext(final Locale locale) throws MavenReportException, IOException {- DecorationModel decorationModel = new DecorationModel(); + private SiteRenderingContext createSiteRenderingContext(final Locale locale) + throws MavenReportException, IOException { + SiteModel siteModel = new SiteModel();Map<String, Object> templateProperties = new HashMap<>();- // We tell the skin that we are rendering in standalone mode templateProperties.put("standalone", Boolean.TRUE); templateProperties.put("project", getProject()); templateProperties.put("inputEncoding", getInputEncoding()); templateProperties.put("outputEncoding", getOutputEncoding()); - // Put any of the properties in directly into the Velocity context for (Map.Entry<Object, Object> entry : getProject().getProperties().entrySet()) { templateProperties.put((String) entry.getKey(), entry.getValue()); }- SiteRenderingContext context;+ org.apache.maven.doxia.site.Skin siteSkin = siteModel.getSkin(); + + if (siteSkin == null || siteSkin.getGroupId() == null + || siteSkin.getArtifactId() == null || siteSkin.getVersion() == null) { + getLog().debug("No skin configuration found in site.xml. Using default Maven skin configuration."); + + // Create a minimal default skin configuration + siteSkin = new org.apache.maven.doxia.site.Skin(); + siteSkin.setGroupId("org.apache.maven.skins"); + siteSkin.setArtifactId("maven-fluido-skin"); + } + try { - Artifact skinArtifact = siteTool.getSkinArtifactFromRepository(session.getLocalRepository(), - remoteRepositories, decorationModel); + Artifact skinArtifact = siteTool.getSkinArtifactFromRepository( + session.getRepositorySession(), + remoteRepositories, + siteSkin + );getLog().debug(buffer().a("Rendering content with ").strong(skinArtifact.getId() + " skin").a('.').build()); - context = siteRenderer.createContextForSkin(skinArtifact, templateProperties, decorationModel,- project.getName(), locale); + SiteRenderingContext context = siteRenderer.createContextForSkin( + skinArtifact, + templateProperties, + siteModel, + project.getName(), + locale + ); + context.setRootDirectory(project.getBasedir()); + return context; + } catch (SiteToolException e) { throw new MavenReportException("Failed to retrieve skin artifact", e); } catch (RendererException e) { throw new MavenReportException("Failed to create context for skin", e); } - - // Generate static site - context.setRootDirectory(project.getBasedir()); - - return context; }/**- * Generate a report. + * This method is called when the report generation is invoked by + * maven-site-plugin. * * @param sink the sink to use for the generation. + * @param sinkFactory the sink factory to use for the generation. * @param locale the wanted locale to generate the report, could be null. * @throws MavenReportException if any - * @deprecated use {@link #generate(Sink, SinkFactory, Locale)} instead. */ - @Deprecated @Override - public void generate(final org.codehaus.doxia.sink.Sink sink, final Locale locale) throws MavenReportException { - generate(sink, null, locale); + public void generate(final Sink sink, final SinkFactory sinkFactory, final Locale locale) throws MavenReportException { + if (!canGenerateReport()) { + // This report cannot be generated as part of the current build. + getLog().info("This report cannot be generated as part of the current build. " + + "The report name should be referenced in this line of output."); + } else { + this.sink = sink; + this.sinkFactory = sinkFactory; + + if (!(sink instanceof SiteRendererSink)) { + + generateReportManually(locale); + } else { + executeReport(locale); + } + + closeReport(); + } + } + + private void generateReportManually(final Locale locale) throws MavenReportException { + try { + File outputDir = new File(getOutputDirectory()); + String filename = getOutputName() + ".html"; + + SiteRenderingContext siteContext = createSiteRenderingContext(locale); + + if (!outputDir.exists() && !outputDir.mkdirs()) { + getLog().error("Unable to create output directory: " + outputDir); + } + + DocumentRenderingContext docContext = + new DocumentRenderingContext(outputDir, filename, "xhtml5"); + + SiteRendererSink sink = new SiteRendererSink(docContext); + + this.sink = sink; + this.sinkFactory = null; + + executeReport(locale); + + try (Writer writer = new OutputStreamWriter( + Files.newOutputStream(new File(outputDir, filename).toPath()), + getOutputEncoding())) { + getSiteRenderer().mergeDocumentIntoSite(writer, sink, siteContext); + } + + } catch (IOException | RendererException e) { + throw new MavenReportException("Failed to render RAT report manually", e); + } }/**@@ -241,32 +316,6 @@ public class RatReportMojo extends AbstractRatMojo implements MavenMultiPageRepo generate(sink, null, locale); }- /**- * This method is called when the report generation is invoked by - * maven-site-plugin. - * - * @param sink the sink to use for the generation. - * @param sinkFactory the sink factory to use for the generation. - * @param locale the wanted locale to generate the report, could be null. - * @throws MavenReportException if any - */ - @Override - public void generate(final Sink sink, final SinkFactory sinkFactory, final Locale locale) throws MavenReportException { - if (!canGenerateReport()) { - getLog().info("This report cannot be generated as part of the current build. " - + "The report name should be referenced in this line of output."); - return; - } - - this.sink = sink; - - this.sinkFactory = sinkFactory; - - executeReport(locale); - - closeReport(); - } - /** * @return CATEGORY_PROJECT_REPORTS */ @@ -387,7 +436,7 @@ public class RatReportMojo extends AbstractRatMojo implements MavenMultiPageRepo sink.paragraph_();sink.paragraph();- sink.verbatim(SinkEventAttributeSet.BOXED); + sink.verbatim(new SinkEventAttributeSet()); try { ReportConfiguration config = getConfiguration(); config.setFrom(getDefaultsBuilder().build()); diff --git a/apache-rat-plugin/src/test/java/org/apache/rat/mp/RatTestHelpers.java b/apache-rat-plugin/src/test/java/org/apache/rat/mp/RatTestHelpers.java index bb42d11e..cc8ba9d3 100644 --- a/apache-rat-plugin/src/test/java/org/apache/rat/mp/RatTestHelpers.java +++ b/apache-rat-plugin/src/test/java/org/apache/rat/mp/RatTestHelpers.java @@ -17,8 +17,8 @@ import org.apache.commons.io.FileUtils; * contributor license agreements. See the NOTICE file distributed with * this work for additional information regarding copyright ownership. * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at + * (the "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * @@ -97,7 +97,7 @@ public final class RatTestHelpers { } } else if (pSource.isFile()) { try (final FileInputStream fis = new FileInputStream(pSource); - final FileOutputStream fos = new FileOutputStream(pTarget)) { + final FileOutputStream fos = new FileOutputStream(pTarget)) { final byte[] buffer = new byte[8192]; for (;;) { int res = fis.read(buffer); @@ -122,7 +122,8 @@ public final class RatTestHelpers { * @throws Exception Creating the object failed. */ public static Renderer newSiteRenderer(PlexusContainer container) throws Exception { - return (Renderer) container.lookup(Renderer.ROLE, "default"); + // Replaced deprecated ROLE-based lookup with type+hint lookup. + return container.lookup(Renderer.class, "default"); }/**@@ -205,4 +206,4 @@ public final class RatTestHelpers { } }-}+} \ No newline at end of file diff --git a/apache-rat-tools/src/main/resources/Maven.tpl b/apache-rat-tools/src/main/resources/Maven.tpl index 0d5d420e..13d9453e 100644 --- a/apache-rat-tools/src/main/resources/Maven.tpl +++ b/apache-rat-tools/src/main/resources/Maven.tpl @@ -20,7 +20,7 @@ ${package}import org.apache.commons.cli.Option;-import org.apache.commons.lang.StringUtils; +import org.apache.commons.lang3.StringUtils; import org.apache.maven.plugin.AbstractMojo; import org.apache.maven.plugins.annotations.Parameter; import org.apache.rat.commandline.Arg; diff --git a/src/site/markdown/development/ui/generator.md b/src/site/markdown/development/ui/generator.md index 195aa231..b08559b7 100644 --- a/src/site/markdown/development/ui/generator.md +++ b/src/site/markdown/development/ui/generator.md @@ -83,7 +83,7 @@ The `MavenGenerator` uses a template called "Maven.tpl" that looks like: ${package}import org.apache.commons.cli.Option;-import org.apache.commons.lang.StringUtils; +import org.apache.commons.lang3.StringUtils; import org.apache.maven.plugin.AbstractMojo; import org.apache.maven.plugins.annotations.Parameter; import org.apache.rat.commandline.Arg;
OpenPGP_signature.asc
Description: OpenPGP digital signature
