Tooling update

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Tooling update

Gintautas Grigelionis
I took the liberty to sync QA tools among Ant, Ivy and IvyDE.
A couple of notes: Ant 1.10 having a Java 8 baseline permits migration
from FindBugs to SpotBugs; I decided to it now rather than wait for
dependency issues [1] to be resolved. Then I was surprised that
Dependency Check indicates that the latest XZ 1.8 has a vulnerability:
should we ask them to investigate?

Gintas

[1] https://github.com/spotbugs/spotbugs/issues/655

P.S. Here's the complete Dependency Check report:

[owasp:dependency-check] bsh-core-2.0b4.jar (org.beanshell:bsh-core:2.0b4,
cpe:/a:beanshell_project:beanshell:2.0.b4) : CVE-2016-2510
[owasp:dependency-check] jruby-1.6.8.jar (cpe:/a:jruby:jruby:1.6.8,
org.jruby:jruby:1.6.8) : CVE-2012-5370
[owasp:dependency-check] jython-2.7.0.jar (org.python:jython:2.7.0,
cpe:/a:jython_project:jython:2.7.0) : CVE-2016-4000
[owasp:dependency-check] xz-1.8.jar (cpe:/a:tukaani:xz:1.8,
org.tukaani:xz:1.8) : CVE-2015-4035
[owasp:dependency-check]
jruby-1.6.8.jar/META-INF/maven/org.jruby.ext.posix/jnr-posix/pom.xml
(org.jruby.ext.posix:jnr-posix:1.1.9, cpe:/a:jruby:jruby:1.1.9) :
CVE-2010-1330, CVE-2011-4838, CVE-2012-5370
Reply | Threaded
Open this post in threaded view
|

Re: Tooling update

Stefan Bodewig
On 2018-06-08, Gintautas Grigelionis wrote:

> Then I was surprised that Dependency Check indicates that the latest
> XZ 1.8 has a vulnerability: should we ask them to investigate?

That's a false positive.

https://www.cvedetails.com/cve/CVE-2015-4035/ applies to the command
line tooling and is not related to XZ for Java at all.

Stefan

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Tooling update

Gintautas Grigelionis
Thanks, Stefan. Meanwhile, SpotBugs is reactivated in the nighlies now.
I noticed, however, that execution order is important: if SpotBugs runs
before Checkstyle,
the latter bails out because of ANTLR.

Gintas

2018-06-08 20:42 GMT+02:00 Stefan Bodewig <[hidden email]>:

> On 2018-06-08, Gintautas Grigelionis wrote:
>
> > Then I was surprised that Dependency Check indicates that the latest
> > XZ 1.8 has a vulnerability: should we ask them to investigate?
>
> That's a false positive.
>
> https://www.cvedetails.com/cve/CVE-2015-4035/ applies to the command
> line tooling and is not related to XZ for Java at all.
>
> Stefan
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Tooling update

Gintautas Grigelionis
Nightlies are publishing Checkstyle, SpotBugs and Simian now. AFAICS
there's no plugin for Rat :-(
Next, I think of publishing JaCoCo in Matrix builds. And, perhaps, adding
build status icons to [1]
(what is the status of plans to move the website to Git?)

Gintas

[1] https://ant.apache.org/nightlies.html

2018-06-09 9:08 GMT+02:00 Gintautas Grigelionis <[hidden email]>:

> Thanks, Stefan. Meanwhile, SpotBugs is reactivated in the nighlies now.
> I noticed, however, that execution order is important: if SpotBugs runs
> before Checkstyle,
> the latter bails out because of ANTLR.
>
> Gintas
>
> 2018-06-08 20:42 GMT+02:00 Stefan Bodewig <[hidden email]>:
>
>> On 2018-06-08, Gintautas Grigelionis wrote:
>>
>> > Then I was surprised that Dependency Check indicates that the latest
>> > XZ 1.8 has a vulnerability: should we ask them to investigate?
>>
>> That's a false positive.
>>
>> https://www.cvedetails.com/cve/CVE-2015-4035/ applies to the command
>> line tooling and is not related to XZ for Java at all.
>>
>> Stefan
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>>
>