Re: Tooling update
Nightlies are publishing Checkstyle, SpotBugs and Simian now. AFAICS there's no plugin for Rat :-( Next, I think of publishing JaCoCo in Matrix builds. And, perhaps, adding build status icons to [1] (what is the status of plans to move the website to Git?) Gintas [1] https://ant.apache.org/nightlies.html 2018-06-09 9:08 GMT+02:00 Gintautas Grigelionis : > Thanks, Stefan. Meanwhile, SpotBugs is reactivated in the nighlies now. > I noticed, however, that execution order is important: if SpotBugs runs > before Checkstyle, > the latter bails out because of ANTLR. > > Gintas > > 2018-06-08 20:42 GMT+02:00 Stefan Bodewig : > >> On 2018-06-08, Gintautas Grigelionis wrote: >> >> > Then I was surprised that Dependency Check indicates that the latest >> > XZ 1.8 has a vulnerability: should we ask them to investigate? >> >> That's a false positive. >> >> https://www.cvedetails.com/cve/CVE-2015-4035/ applies to the command >> line tooling and is not related to XZ for Java at all. >> >> Stefan >> >> - >> To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org >> For additional commands, e-mail: dev-h...@ant.apache.org >> >> >
Re: Tooling update
On 2018-06-08, Gintautas Grigelionis wrote: > Then I was surprised that Dependency Check indicates that the latest > XZ 1.8 has a vulnerability: should we ask them to investigate? That's a false positive. https://www.cvedetails.com/cve/CVE-2015-4035/ applies to the command line tooling and is not related to XZ for Java at all. Stefan - To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org For additional commands, e-mail: dev-h...@ant.apache.org
Tooling update
I took the liberty to sync QA tools among Ant, Ivy and IvyDE. A couple of notes: Ant 1.10 having a Java 8 baseline permits migration from FindBugs to SpotBugs; I decided to it now rather than wait for dependency issues [1] to be resolved. Then I was surprised that Dependency Check indicates that the latest XZ 1.8 has a vulnerability: should we ask them to investigate? Gintas [1] https://github.com/spotbugs/spotbugs/issues/655 P.S. Here's the complete Dependency Check report: [owasp:dependency-check] bsh-core-2.0b4.jar (org.beanshell:bsh-core:2.0b4, cpe:/a:beanshell_project:beanshell:2.0.b4) : CVE-2016-2510 [owasp:dependency-check] jruby-1.6.8.jar (cpe:/a:jruby:jruby:1.6.8, org.jruby:jruby:1.6.8) : CVE-2012-5370 [owasp:dependency-check] jython-2.7.0.jar (org.python:jython:2.7.0, cpe:/a:jython_project:jython:2.7.0) : CVE-2016-4000 [owasp:dependency-check] xz-1.8.jar (cpe:/a:tukaani:xz:1.8, org.tukaani:xz:1.8) : CVE-2015-4035 [owasp:dependency-check] jruby-1.6.8.jar/META-INF/maven/org.jruby.ext.posix/jnr-posix/pom.xml (org.jruby.ext.posix:jnr-posix:1.1.9, cpe:/a:jruby:jruby:1.1.9) : CVE-2010-1330, CVE-2011-4838, CVE-2012-5370