MCHECKSTYLE-366 Upgrade checkstyle to a more recent version

[eolivelli]

MCHECKSTYLE-366 Upgrade checkstyle to a more recent version
and require Java 8 as Checkstyle 7+ requires Java 8

Fix several integration tests that didn't work with new versions of checkstyle

[eolivelli]

@rnveach I have addressed your comment, please take another look

[eolivelli]

This is the CI job for this branch:
https://builds.apache.org/job/maven-box/job/maven-checkstyle-plugin/job/MCHECKSTYLE-366/

[rnveach]

Looks good, thanks.

[romani]

it would be good if you can update all xmls to have new DOCTYPE that reference to secure website.
Example: https://github.com/checkstyle/checkstyle/blob/master/config/checkstyle_checks.xml#L2
There should be no Puppy Crawl, no http://.

it is part of security issue - checkstyle/checkstyle#6478 and checkstyle/checkstyle#6474

[eolivelli]

This is a test resource

[romani]

@eolivelli , please address my comment, to avoid security issues in plugin.

[eolivelli]

@romani this file is a test resource, it is an integration test.
It would be better to create a specific JIRA and track the work to do.
I will be very happy to fix the problem you are reporting or to help your provide a patch.
This PR has already been merged, we should start a new one

[JLLeitschuh]

@eolivelli The security issue is in the parser that is used to parse this file. It leaves any code that parses this file vulnerable to XXE via a MITM.
It doesn't matter that it's a "test resource", it still leaves the build vulnerable to this attack vector.

[rnveach]

I will create the ticket.

[rnveach]

Here is the new ticket to provide any patches for: https://issues.apache.org/jira/browse/MCHECKSTYLE-375

[eolivelli]

Great. If anyone wants to pick it up....I can wait for it before cutting the 3.1.0 release.
I am currently waiting for another patch se the is no hurry.

[romani]

@eolivelli , please share link to patch that you are waiting

[eolivelli]

@romani this one #5

[eolivelli]

This pr has been merged, sorry, I did not close it