Remove DTDs from http://checkstyle.sourceforge.net and from http://puppycrawl.com/ #6478
Labels
Milestone
Comments
|
DTDs from http://puppycrawl.com/dtds/ we're removed by Oliver today. |
muhlba91
pushed a commit
to muhlba91/sonar-checkstyle
that referenced
this issue
Mar 5, 2019
romani
pushed a commit
to checkstyle/sonar-checkstyle
that referenced
this issue
Mar 6, 2019
fzdy1914
added a commit
to fzdy1914/NUS-CS2103-Inventory-Manager
that referenced
this issue
Mar 6, 2019
We are currently using the DTD files from `http://checkstyle.sourceforge.net/` and `http://puppycrawl.com/` in our config file of checkstyle. However, due to security reason, checkstyle decided to remove DTDs from above websites and ask users to use the DTD files from `https://checkstyle.org/`[1]. Let's update the addresses of DTD files correspondingly. Meanwhile, update the version of suppression DTD file to 1.2 because it is the version suggested from checkstyle. [2] [1] checkstyle/checkstyle#6478 [2] https://checkstyle.org/config_filters.html#SuppressionFilter_Examples
|
DTDs from http://checkstyle.sourceforge.net were hidden today. |
pyokagan
pushed a commit
to se-edu/addressbook-level4
that referenced
this issue
Mar 8, 2019
We are currently using the DTD files from `http://checkstyle.sourceforge.net/` and `http://puppycrawl.com/` in our config file of checkstyle. However, due to security reason, checkstyle decided to remove DTDs from above websites and ask users to use the DTD files from `https://checkstyle.org/`[1]. Let's update the addresses of DTD files correspondingly. Meanwhile, update the version of suppression DTD file to 1.2 because it is the version suggested from checkstyle. [2] [1] checkstyle/checkstyle#6478 [2] https://checkstyle.org/config_filters.html#SuppressionFilter_Examples
|
FYI The sample configs all still have the old DTD specified in them. |
|
@ndtreviv , please give me direct link or provide a bit more details as we have a lot of places with configs. |
My bad...I've gone back to re-find them and I can't anymore. I'm probably going mad. Sorry about that. |
|
@romani This came up when doing a search: Not finding any example configs under |
asfgit
pushed a commit
to apache/hbase
that referenced
this issue
Mar 8, 2019
ADDENDUM -- dtds moved location. See checkstyle/checkstyle#6478
asfgit
pushed a commit
to apache/hbase
that referenced
this issue
Mar 8, 2019
ADDENDUM -- dtds moved location. See checkstyle/checkstyle#6478
asfgit
pushed a commit
to apache/hbase
that referenced
this issue
Mar 8, 2019
ADDENDUM -- dtds moved location. See checkstyle/checkstyle#6478
asfgit
pushed a commit
to apache/hbase
that referenced
this issue
Mar 8, 2019
ADDENDUM -- dtds moved location. See checkstyle/checkstyle#6478
romani
added a commit
that referenced
this issue
Mar 9, 2019
|
links to reports and to old websites should stay on sourceforge for now. |
rnveach
pushed a commit
that referenced
this issue
Mar 9, 2019
|
@romani github closed the issue with the last merge, is there anything left for this issue? |
|
All planned work is done. |
|
@romani @rnveach Here is the CVE that was assigned.
Just a heads up, the description they've put on this is far more general than the description I sent them, however, I don't think it's strictly inaccurate. You may want to consider changing the title of this issue (or some issue) to contain the CVE number for easy reference. |
yamidark
pushed a commit
to reposense/RepoSense
that referenced
this issue
Mar 16, 2019
We are using the DTD files from http://checkstyle.sourceforge.net/ and http://puppycrawl.com/ in our config file of checkstyle. However, due to security reason, checkstyle decided to remove DTDs from above websites and ask users to use the DTD files from https://checkstyle.org/[1]. Let's update the addresses of DTD files correspondingly. As later version of the suppression DTD file has been released[2], let's also update the DTD file to the latest version. [1] Checkstyle removes DTDs from http://checkstyle.sourceforge.net: checkstyle/checkstyle#6478 [2] Checkstyle Suppressions.xml example: https://checkstyle.org/config_filters.html#SuppressionFilter_Examples
chyeo
pushed a commit
to chyeo/main
that referenced
this issue
Mar 18, 2019
We are currently using the DTD files from `http://checkstyle.sourceforge.net/` and `http://puppycrawl.com/` in our config file of checkstyle. However, due to security reason, checkstyle decided to remove DTDs from above websites and ask users to use the DTD files from `https://checkstyle.org/`[1]. Let's update the addresses of DTD files correspondingly. Meanwhile, update the version of suppression DTD file to 1.2 because it is the version suggested from checkstyle. [2] [1] checkstyle/checkstyle#6478 [2] https://checkstyle.org/config_filters.html#SuppressionFilter_Examples
ongspxm
added a commit
to reposense/RepoSense
that referenced
this issue
Mar 19, 2019
The way `v_summary` handles the loading of the sidebar assumes there is only one type of sidebar view. In light of the new "zoomin" view, we would have to extend and generalize the way we load the sidebar, so as to be able to load both the authorship and zoomin view using the same mechanism. The design of the "event bus" is as such. The actual loading of the tabs is done in the main app, and those functions usually have the form `updateTabXXX()`, which write the corresponding information object into `this.tabInfo` and does `this.tabActive='XXX';`. This will then load the right tab in the sidebar. To load the sidebar from without another component, the VueJS event emitting mechanism is used. A function of the form `openTabXXX()` is used to call the component's `$emit()`. The main application then handles the emitted message using the corresponding `updateTabXXX()`. * Add highlighting to ramps (#544) To be able to open up a "zoomed-in" view of the ramp, the user must first be able to select part of the ramp to focus on. Let's add a way for the user to highlight the range of the ramp to focus on. This will later translate into the date range for the "zoomed-in" view to display the relevant commits. In this particular implementation, we use a global `drags` object as a way of preventing user from highlighting on multiple ramp charts. E.g. if a user mousedown on one ramp chart and mouseup on the other, the second chart will be highlighted with the positions defined between the two mouse events. * Merge 'tabs' to get refactored v_authorship commit b632566 Author: ongspxm <ongspxm@gmail.com> Date: Mon Feb 25 00:46:12 2019 +0800 added TODO to remove change commit 4bb21d6 Author: ongspxm <ongspxm@gmail.com> Date: Fri Feb 22 23:38:34 2019 +0800 updated to use isTabActive instead of tabActive to trigger tab display commit a7aeefd Author: ongspxm <ongspxm@gmail.com> Date: Thu Feb 21 22:39:18 2019 +0800 fix lint commit b813aa2 Author: ongspxm <ongspxm@gmail.com> Date: Thu Feb 21 22:30:35 2019 +0800 wrap everything within v-authorship commit 7dbb41b Author: ongspxm <ongspxm@gmail.com> Date: Thu Feb 21 22:25:45 2019 +0800 updateCount using document.getElementsByClassName commit c66a3ee Author: ongspxm <ongspxm@gmail.com> Date: Thu Feb 21 15:53:22 2019 +0800 wip. left with updateCount commit 9e73331 Author: ongspxm <ongspxm@gmail.com> Date: Thu Feb 21 15:49:48 2019 +0800 move expand func to v_authorship commit 3fcd62b Author: ongspxm <ongspxm@gmail.com> Date: Thu Feb 21 15:43:50 2019 +0800 remove js for button update commit 4fc1151 Author: ongspxm <ongspxm@gmail.com> Date: Thu Feb 21 15:37:02 2019 +0800 deactivating the tab commit a387e19 Author: ongspxm <ongspxm@gmail.com> Date: Thu Feb 21 14:51:58 2019 +0800 wip * move call emitting to component func * handle opening of tabs in main app * refactoring ramps to their own component (#572) Currently, the entire ramp template resides in `v_summary`. In light of the "zoomin" tab view, we would have to reuse ramp chart view to display the commits in the "zoomin" tab. Let's refactor to move the ramp into its own component, so as to support reuse in the "zoomin" tab view. * fix lint * fix: show min max date on authorship view * lint * [#554] Rename 'dashboard' instances to 'report' (#579) The term 'report' and 'dashboard' are used throughout RepoSense to refer to the same thing, the result after running analysis. However, users may not understand the subtle differences between these two terms. Instead, using a single term would help in standardization and comprehensibility. Let's rename all usage of 'dashboard' instances to the term 'report' instead, as standardized in #220. * Checkstyle: update addresses of DTD files #586 We are using the DTD files from http://checkstyle.sourceforge.net/ and http://puppycrawl.com/ in our config file of checkstyle. However, due to security reason, checkstyle decided to remove DTDs from above websites and ask users to use the DTD files from https://checkstyle.org/[1]. Let's update the addresses of DTD files correspondingly. As later version of the suppression DTD file has been released[2], let's also update the DTD file to the latest version. [1] Checkstyle removes DTDs from http://checkstyle.sourceforge.net: checkstyle/checkstyle#6478 [2] Checkstyle Suppressions.xml example: https://checkstyle.org/config_filters.html#SuppressionFilter_Examples * [#540] Perform cloning in parallel with analyzing (#560) Repos are processed sequentially, one at a time. As cloning does not takes much processing power and analysis does not take any network bandwidth, the two can be done in parallel to reduce the total processing time. Here are some test results to support the above hypothesis: The test was performed using CS2103 AY1819S1 project repos on my local machine. The average time taken to generate the report was measured across 10 runs. Current code took 17 min 21s while new implementation took 11 min 55s. Let's clone the next repo in the list while the current repo is being analyzed. * [#465] Url: bookmark opened code view (#524) Our report's url changes along with the state of the dashboard as a mechanism to allow users to easily revisit her last view as well as easily be shared with other people. However, this was only limited to the chart view configuration, nothing of the code view were part of the state being saved. To allow users to easily restore their last reviewed code view, let's also encode any opened code view into the url. * [#510] Remove unused Checkstyle analysis feature (#597) The checkstyle analysis feature was added to the code base in the early stage of RepoSense, when there was some hope of running static analysis over the code written by authors of the repositories. As this feature has not been used since early stages(v1.0), and it is also not in our immediate plans anymore, leaving it will unnecessarily complicate the codebase. Let's clean up the code base by removing this unused checkstyle analysis feature. * fix: codeview not opening * update view opeing
tsjensen
pushed a commit
to checkstyle-addons/sonar-checkstyle
that referenced
this issue
Mar 21, 2019
|
@romani @rnveach This DTD is still available and should be removed. http://checkstyle.sourceforge.net/dtds/configuration_1_3.dtd |
romani
added a commit
that referenced
this issue
Apr 2, 2019
|
dtds folder is removed from checkstyle.sourceforge.net, |
Vantuz
pushed a commit
to Vantuz/checkstyle
that referenced
this issue
Apr 3, 2019
…old dtd locations
Vantuz
pushed a commit
to Vantuz/checkstyle
that referenced
this issue
Apr 3, 2019
sijie123
pushed a commit
to sijie123/CS2103-DeadlineManager
that referenced
this issue
Apr 13, 2019
We are currently using the DTD files from `http://checkstyle.sourceforge.net/` and `http://puppycrawl.com/` in our config file of checkstyle. However, due to security reason, checkstyle decided to remove DTDs from above websites and ask users to use the DTD files from `https://checkstyle.org/`[1]. Let's update the addresses of DTD files correspondingly. Meanwhile, update the version of suppression DTD file to 1.2 because it is the version suggested from checkstyle. [2] [1] checkstyle/checkstyle#6478 [2] https://checkstyle.org/config_filters.html#SuppressionFilter_Examples
sijie123
pushed a commit
to sijie123/CS2103-DeadlineManager
that referenced
this issue
Apr 14, 2019
We are currently using the DTD files from `http://checkstyle.sourceforge.net/` and `http://puppycrawl.com/` in our config file of checkstyle. However, due to security reason, checkstyle decided to remove DTDs from above websites and ask users to use the DTD files from `https://checkstyle.org/`[1]. Let's update the addresses of DTD files correspondingly. Meanwhile, update the version of suppression DTD file to 1.2 because it is the version suggested from checkstyle. [2] [1] checkstyle/checkstyle#6478 [2] https://checkstyle.org/config_filters.html#SuppressionFilter_Examples
This is more informational that I didn't know. When you work with opensource on github and do a push to a repo you own, it will report these CVEs to you on a push. I use eclipse for my pushes.
And they even have a URL to list all these vunerabilities.
|
peterdemaeyer
pushed a commit
to peterdemaeyer/checkstyle
that referenced
this issue
Apr 27, 2019
peterdemaeyer
pushed a commit
to peterdemaeyer/checkstyle
that referenced
this issue
Apr 28, 2019
TWiStErRob
added a commit
to TWiStErRob/net.twisterrob.gradle
that referenced
this issue
May 26, 2019
TWiStErRob
added a commit
to TWiStErRob/net.twisterrob.gradle
that referenced
this issue
May 26, 2019
* Gradle 4.10.3 * Fix breaking change: checkstyle/checkstyle#6478
giabao
added a commit
to giabao/sbt-checkstyle-plugin
that referenced
this issue
Feb 10, 2020
giabao
added a commit
to giabao/sbt-checkstyle-plugin
that referenced
this issue
Feb 10, 2020
infraio
pushed a commit
to infraio/hbase
that referenced
this issue
Aug 17, 2020
…DENDUM -- dtds moved location. See checkstyle/checkstyle#6478
DanVanAtta
added a commit
to triplea-game/triplea
that referenced
this issue
Sep 9, 2020
The sourceforge location is hidden, the updated location is on https and recommended. This issue goes into more details on the DTD migration: checkstyle/checkstyle#6478
DanVanAtta
added a commit
to triplea-game/triplea
that referenced
this issue
Sep 10, 2020
The sourceforge location is hidden, the updated location is on https and recommended. This issue goes into more details on the DTD migration: checkstyle/checkstyle#6478
asfgit
pushed a commit
to apache/submarine
that referenced
this issue
Jun 29, 2021
### What is this PR for? Replace out-of-date url in checkstyle.xml reference: checkstyle/checkstyle#6478 ### What type of PR is it? Bug Fix ### Todos ### What is the Jira issue? https://issues.apache.org/jira/browse/SUBMARINE-877 ### How should this be tested? ### Screenshots (if appropriate) ### Questions: * Do the license files need updating? No * Are there breaking changes for older versions? No * Does this need new documentation? No Author: jeff-901 <b07901052@ntu.edu.com> Signed-off-by: byronhsu <byronhsu@apache.org> Closes #618 from jeff-901/SUBMARINE-877 and squashes the following commits: 78ba6d4 [jeff-901] update url
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
location on http://checkstyle.sourceforge.net/ is not secure.
All checkstyle version below 8.18 are not very secure, see details at #6474.
I will move DTDs to another folder to let user experience failure and find this issue as request to update configuration.
Upgrade is simple:
http://checkstyle.sourceforge.net/dtds/configuration_1_3.dtd=>
https://checkstyle.org/dtds/configuration_1_3.dtdand
http://puppycrawl.com/dtds/configuration_1_3.dtd=>
https://checkstyle.org/dtds/configuration_1_3.dtdIf you can not update, please write a comment, I might return DTDs to original place to give people some time to migrate.
The text was updated successfully, but these errors were encountered: