You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-dev@james.apache.org by "René Cordier (Jira)" <se...@james.apache.org> on 2020/02/03 07:14:00 UTC
[jira] [Comment Edited] (JAMES-3033) Vulnerability found in
dependency com.puppycrawl.tools:checkstyle
[ https://issues.apache.org/jira/browse/JAMES-3033?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17028711#comment-17028711 ]
René Cordier edited comment on JAMES-3033 at 2/3/20 7:13 AM:
-------------------------------------------------------------
It seems oddly enough to introduce other issues with the `CustomImportOrder` module. We have currently it defined like this in our checkstyle.xml conf file :
{code:xml}
<module name="CustomImportOrder">
<property name="customImportOrderRules" value="STATIC###STANDARD_JAVA_PACKAGE###SPECIAL_IMPORTS"/>
<property name="specialImportsRegExp" value="org"/>
<property name="sortImportsInGroupAlphabetically" value="true"/>
</module>
{code}
Where before it seemed to work perfectly with our james import order, which should be something like this:
{code:java}
import statics;
import java.*;
import javax.*;
import org.*;
import com.*;
import the rest;
{code}
Is it true for the com.* imports though? That's what is in my IntelliJ conf but I don't see with the conf of `CustomImportOrder` why it shouldn't be just part of the rest.
Anyway, still with the version 8.29, I get weird stuff like checkstyle is expecting having java and javax packages together... I'm not sure if it became more strict in the syntax and we did something wrong, or if a bug has been introduced. I will dig more into it.
was (Author: rcordier):
It seems oddly enough to introduce other issues with the `CustomImportOrder` module. We have currently it defined like this in our checkstyle.xml conf file :
{code:xml}
<module name="CustomImportOrder">
<property name="customImportOrderRules" value="STATIC###STANDARD_JAVA_PACKAGE###SPECIAL_IMPORTS"/>
<property name="specialImportsRegExp" value="org"/>
<property name="sortImportsInGroupAlphabetically" value="true"/>
</module>
{code}
Where before it seemed to work perfectly with our james import order, which should be something like this:
{code:java}
import statics;
import java.*;
import javax.*;
import org.*;
import com.*;
import the rest;
{code}
Is it true for the com.* imports though? That's what is in my IntelliJ conf but I don't see with the conf of `CustomImportOrder` why it shouldn't be just part of the rest.
Anyway, still with the version 8.29, I get weird stuff like checkstyle is expecting having java and javax packages together... I'm not sure if it became more strict and we did something wrong, or if a bug has been introduced. I will dig more into it.
> Vulnerability found in dependency com.puppycrawl.tools:checkstyle
> -----------------------------------------------------------------
>
> Key: JAMES-3033
> URL: https://issues.apache.org/jira/browse/JAMES-3033
> Project: James Server
> Issue Type: Improvement
> Reporter: René Cordier
> Priority: Major
> Labels: security
>
> A vulnerability issue has been found in com.puppycrawl.tools:checkstyle : https://github.com/linagora/james-project/network/alert/pom.xml/com.puppycrawl.tools:checkstyle/open
> We need to fix it asap by upgrading it from version 8.23 to 8.29.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org