New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove DTDs from http://checkstyle.sourceforge.net and from http://puppycrawl.com/ #6478
Comments
DTDs from http://puppycrawl.com/dtds/ we're removed by Oliver today. |
We are currently using the DTD files from `http://checkstyle.sourceforge.net/` and `http://puppycrawl.com/` in our config file of checkstyle. However, due to security reason, checkstyle decided to remove DTDs from above websites and ask users to use the DTD files from `https://checkstyle.org/`[1]. Let's update the addresses of DTD files correspondingly. Meanwhile, update the version of suppression DTD file to 1.2 because it is the version suggested from checkstyle. [2] [1] checkstyle/checkstyle#6478 [2] https://checkstyle.org/config_filters.html#SuppressionFilter_Examples
DTDs from http://checkstyle.sourceforge.net were hidden today. |
We are currently using the DTD files from `http://checkstyle.sourceforge.net/` and `http://puppycrawl.com/` in our config file of checkstyle. However, due to security reason, checkstyle decided to remove DTDs from above websites and ask users to use the DTD files from `https://checkstyle.org/`[1]. Let's update the addresses of DTD files correspondingly. Meanwhile, update the version of suppression DTD file to 1.2 because it is the version suggested from checkstyle. [2] [1] checkstyle/checkstyle#6478 [2] https://checkstyle.org/config_filters.html#SuppressionFilter_Examples
FYI The sample configs all still have the old DTD specified in them. |
@ndtreviv , please give me direct link or provide a bit more details as we have a lot of places with configs. |
My bad...I've gone back to re-find them and I can't anymore. I'm probably going mad. Sorry about that. |
@romani This came up when doing a search: Not finding any example configs under |
ADDENDUM -- dtds moved location. See checkstyle/checkstyle#6478
ADDENDUM -- dtds moved location. See checkstyle/checkstyle#6478
ADDENDUM -- dtds moved location. See checkstyle/checkstyle#6478
ADDENDUM -- dtds moved location. See checkstyle/checkstyle#6478
links to reports and to old websites should stay on sourceforge for now. |
@romani github closed the issue with the last merge, is there anything left for this issue? |
All planned work is done. |
@romani @rnveach Here is the CVE that was assigned.
Just a heads up, the description they've put on this is far more general than the description I sent them, however, I don't think it's strictly inaccurate. You may want to consider changing the title of this issue (or some issue) to contain the CVE number for easy reference. |
We are using the DTD files from http://checkstyle.sourceforge.net/ and http://puppycrawl.com/ in our config file of checkstyle. However, due to security reason, checkstyle decided to remove DTDs from above websites and ask users to use the DTD files from https://checkstyle.org/[1]. Let's update the addresses of DTD files correspondingly. As later version of the suppression DTD file has been released[2], let's also update the DTD file to the latest version. [1] Checkstyle removes DTDs from http://checkstyle.sourceforge.net: checkstyle/checkstyle#6478 [2] Checkstyle Suppressions.xml example: https://checkstyle.org/config_filters.html#SuppressionFilter_Examples
We are currently using the DTD files from `http://checkstyle.sourceforge.net/` and `http://puppycrawl.com/` in our config file of checkstyle. However, due to security reason, checkstyle decided to remove DTDs from above websites and ask users to use the DTD files from `https://checkstyle.org/`[1]. Let's update the addresses of DTD files correspondingly. Meanwhile, update the version of suppression DTD file to 1.2 because it is the version suggested from checkstyle. [2] [1] checkstyle/checkstyle#6478 [2] https://checkstyle.org/config_filters.html#SuppressionFilter_Examples
The way `v_summary` handles the loading of the sidebar assumes there is only one type of sidebar view. In light of the new "zoomin" view, we would have to extend and generalize the way we load the sidebar, so as to be able to load both the authorship and zoomin view using the same mechanism. The design of the "event bus" is as such. The actual loading of the tabs is done in the main app, and those functions usually have the form `updateTabXXX()`, which write the corresponding information object into `this.tabInfo` and does `this.tabActive='XXX';`. This will then load the right tab in the sidebar. To load the sidebar from without another component, the VueJS event emitting mechanism is used. A function of the form `openTabXXX()` is used to call the component's `$emit()`. The main application then handles the emitted message using the corresponding `updateTabXXX()`. * Add highlighting to ramps (#544) To be able to open up a "zoomed-in" view of the ramp, the user must first be able to select part of the ramp to focus on. Let's add a way for the user to highlight the range of the ramp to focus on. This will later translate into the date range for the "zoomed-in" view to display the relevant commits. In this particular implementation, we use a global `drags` object as a way of preventing user from highlighting on multiple ramp charts. E.g. if a user mousedown on one ramp chart and mouseup on the other, the second chart will be highlighted with the positions defined between the two mouse events. * Merge 'tabs' to get refactored v_authorship commit b632566 Author: ongspxm <ongspxm@gmail.com> Date: Mon Feb 25 00:46:12 2019 +0800 added TODO to remove change commit 4bb21d6 Author: ongspxm <ongspxm@gmail.com> Date: Fri Feb 22 23:38:34 2019 +0800 updated to use isTabActive instead of tabActive to trigger tab display commit a7aeefd Author: ongspxm <ongspxm@gmail.com> Date: Thu Feb 21 22:39:18 2019 +0800 fix lint commit b813aa2 Author: ongspxm <ongspxm@gmail.com> Date: Thu Feb 21 22:30:35 2019 +0800 wrap everything within v-authorship commit 7dbb41b Author: ongspxm <ongspxm@gmail.com> Date: Thu Feb 21 22:25:45 2019 +0800 updateCount using document.getElementsByClassName commit c66a3ee Author: ongspxm <ongspxm@gmail.com> Date: Thu Feb 21 15:53:22 2019 +0800 wip. left with updateCount commit 9e73331 Author: ongspxm <ongspxm@gmail.com> Date: Thu Feb 21 15:49:48 2019 +0800 move expand func to v_authorship commit 3fcd62b Author: ongspxm <ongspxm@gmail.com> Date: Thu Feb 21 15:43:50 2019 +0800 remove js for button update commit 4fc1151 Author: ongspxm <ongspxm@gmail.com> Date: Thu Feb 21 15:37:02 2019 +0800 deactivating the tab commit a387e19 Author: ongspxm <ongspxm@gmail.com> Date: Thu Feb 21 14:51:58 2019 +0800 wip * move call emitting to component func * handle opening of tabs in main app * refactoring ramps to their own component (#572) Currently, the entire ramp template resides in `v_summary`. In light of the "zoomin" tab view, we would have to reuse ramp chart view to display the commits in the "zoomin" tab. Let's refactor to move the ramp into its own component, so as to support reuse in the "zoomin" tab view. * fix lint * fix: show min max date on authorship view * lint * [#554] Rename 'dashboard' instances to 'report' (#579) The term 'report' and 'dashboard' are used throughout RepoSense to refer to the same thing, the result after running analysis. However, users may not understand the subtle differences between these two terms. Instead, using a single term would help in standardization and comprehensibility. Let's rename all usage of 'dashboard' instances to the term 'report' instead, as standardized in #220. * Checkstyle: update addresses of DTD files #586 We are using the DTD files from http://checkstyle.sourceforge.net/ and http://puppycrawl.com/ in our config file of checkstyle. However, due to security reason, checkstyle decided to remove DTDs from above websites and ask users to use the DTD files from https://checkstyle.org/[1]. Let's update the addresses of DTD files correspondingly. As later version of the suppression DTD file has been released[2], let's also update the DTD file to the latest version. [1] Checkstyle removes DTDs from http://checkstyle.sourceforge.net: checkstyle/checkstyle#6478 [2] Checkstyle Suppressions.xml example: https://checkstyle.org/config_filters.html#SuppressionFilter_Examples * [#540] Perform cloning in parallel with analyzing (#560) Repos are processed sequentially, one at a time. As cloning does not takes much processing power and analysis does not take any network bandwidth, the two can be done in parallel to reduce the total processing time. Here are some test results to support the above hypothesis: The test was performed using CS2103 AY1819S1 project repos on my local machine. The average time taken to generate the report was measured across 10 runs. Current code took 17 min 21s while new implementation took 11 min 55s. Let's clone the next repo in the list while the current repo is being analyzed. * [#465] Url: bookmark opened code view (#524) Our report's url changes along with the state of the dashboard as a mechanism to allow users to easily revisit her last view as well as easily be shared with other people. However, this was only limited to the chart view configuration, nothing of the code view were part of the state being saved. To allow users to easily restore their last reviewed code view, let's also encode any opened code view into the url. * [#510] Remove unused Checkstyle analysis feature (#597) The checkstyle analysis feature was added to the code base in the early stage of RepoSense, when there was some hope of running static analysis over the code written by authors of the repositories. As this feature has not been used since early stages(v1.0), and it is also not in our immediate plans anymore, leaving it will unnecessarily complicate the codebase. Let's clean up the code base by removing this unused checkstyle analysis feature. * fix: codeview not opening * update view opeing
@romani @rnveach This DTD is still available and should be removed. http://checkstyle.sourceforge.net/dtds/configuration_1_3.dtd |
dtds folder is removed from checkstyle.sourceforge.net, |
…old dtd locations
We are currently using the DTD files from `http://checkstyle.sourceforge.net/` and `http://puppycrawl.com/` in our config file of checkstyle. However, due to security reason, checkstyle decided to remove DTDs from above websites and ask users to use the DTD files from `https://checkstyle.org/`[1]. Let's update the addresses of DTD files correspondingly. Meanwhile, update the version of suppression DTD file to 1.2 because it is the version suggested from checkstyle. [2] [1] checkstyle/checkstyle#6478 [2] https://checkstyle.org/config_filters.html#SuppressionFilter_Examples
We are currently using the DTD files from `http://checkstyle.sourceforge.net/` and `http://puppycrawl.com/` in our config file of checkstyle. However, due to security reason, checkstyle decided to remove DTDs from above websites and ask users to use the DTD files from `https://checkstyle.org/`[1]. Let's update the addresses of DTD files correspondingly. Meanwhile, update the version of suppression DTD file to 1.2 because it is the version suggested from checkstyle. [2] [1] checkstyle/checkstyle#6478 [2] https://checkstyle.org/config_filters.html#SuppressionFilter_Examples
This is more informational that I didn't know. When you work with opensource on github and do a push to a repo you own, it will report these CVEs to you on a push. I use eclipse for my pushes. And they even have a URL to list all these vunerabilities. |
* Gradle 4.10.3 * Fix breaking change: checkstyle/checkstyle#6478
…DENDUM -- dtds moved location. See checkstyle/checkstyle#6478
The sourceforge location is hidden, the updated location is on https and recommended. This issue goes into more details on the DTD migration: checkstyle/checkstyle#6478
The sourceforge location is hidden, the updated location is on https and recommended. This issue goes into more details on the DTD migration: checkstyle/checkstyle#6478
### What is this PR for? Replace out-of-date url in checkstyle.xml reference: checkstyle/checkstyle#6478 ### What type of PR is it? Bug Fix ### Todos ### What is the Jira issue? https://issues.apache.org/jira/browse/SUBMARINE-877 ### How should this be tested? ### Screenshots (if appropriate) ### Questions: * Do the license files need updating? No * Are there breaking changes for older versions? No * Does this need new documentation? No Author: jeff-901 <b07901052@ntu.edu.com> Signed-off-by: byronhsu <byronhsu@apache.org> Closes #618 from jeff-901/SUBMARINE-877 and squashes the following commits: 78ba6d4 [jeff-901] update url
location on http://checkstyle.sourceforge.net/ is not secure.
All checkstyle version below 8.18 are not very secure, see details at #6474.
I will move DTDs to another folder to let user experience failure and find this issue as request to update configuration.
Upgrade is simple:
http://checkstyle.sourceforge.net/dtds/configuration_1_3.dtd
=>
https://checkstyle.org/dtds/configuration_1_3.dtd
and
http://puppycrawl.com/dtds/configuration_1_3.dtd
=>
https://checkstyle.org/dtds/configuration_1_3.dtd
If you can not update, please write a comment, I might return DTDs to original place to give people some time to migrate.
The text was updated successfully, but these errors were encountered: