Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove DTDs from http://checkstyle.sourceforge.net and from http://puppycrawl.com/ #6478

Closed
romani opened this Issue Feb 25, 2019 · 13 comments

Comments

Projects
None yet
4 participants
@romani
Copy link
Member

romani commented Feb 25, 2019

location on http://checkstyle.sourceforge.net/ is not secure.

All checkstyle version below 8.18 are not very secure, see details at #6474.

I will move DTDs to another folder to let user experience failure and find this issue as request to update configuration.

Upgrade is simple:
http://checkstyle.sourceforge.net/dtds/configuration_1_3.dtd
=>
https://checkstyle.org/dtds/configuration_1_3.dtd
and
http://puppycrawl.com/dtds/configuration_1_3.dtd
=>
https://checkstyle.org/dtds/configuration_1_3.dtd

If you can not update, please write a comment, I might return DTDs to original place to give people some time to migrate.

@romani

This comment has been minimized.

Copy link
Member Author

romani commented Feb 25, 2019

DTDs from http://puppycrawl.com/dtds/ we're removed by Oliver today.

muhlba91 added a commit to muhlba91/sonar-checkstyle that referenced this issue Mar 5, 2019

romani added a commit to checkstyle/sonar-checkstyle that referenced this issue Mar 6, 2019

fzdy1914 added a commit to fzdy1914/Inventory-Manager that referenced this issue Mar 6, 2019

Edit the addresses of DTD files used for checkstyle
We are currently using the DTD files from `http://checkstyle.sourceforge.net/`
and `http://puppycrawl.com/` in our config file of checkstyle.

However, due to security reason, checkstyle decided to remove DTDs from
above websites and ask users to use the DTD files from
`https://checkstyle.org/`[1].

Let's update the addresses of DTD files correspondingly.

Meanwhile, update the version of suppression DTD file to 1.2 because it is
the version suggested from checkstyle. [2]

[1] checkstyle/checkstyle#6478
[2] https://checkstyle.org/config_filters.html#SuppressionFilter_Examples
@romani

This comment has been minimized.

Copy link
Member Author

romani commented Mar 7, 2019

DTDs from http://checkstyle.sourceforge.net were hidden today.
If somebody experienced a problem, please update to checkstyle version above 8.10 or write a comment and explain your issue with inability to upgrade.

@romani romani added this to the 8.19 milestone Mar 7, 2019

pyokagan added a commit to se-edu/addressbook-level4 that referenced this issue Mar 8, 2019

Edit the addresses of DTD files used for checkstyle
We are currently using the DTD files from `http://checkstyle.sourceforge.net/`
and `http://puppycrawl.com/` in our config file of checkstyle.

However, due to security reason, checkstyle decided to remove DTDs from
above websites and ask users to use the DTD files from
`https://checkstyle.org/`[1].

Let's update the addresses of DTD files correspondingly.

Meanwhile, update the version of suppression DTD file to 1.2 because it is
the version suggested from checkstyle. [2]

[1] checkstyle/checkstyle#6478
[2] https://checkstyle.org/config_filters.html#SuppressionFilter_Examples
@ndtreviv

This comment has been minimized.

Copy link

ndtreviv commented Mar 8, 2019

FYI The sample configs all still have the old DTD specified in them.

@romani

This comment has been minimized.

Copy link
Member Author

romani commented Mar 8, 2019

@ndtreviv , please give me direct link or provide a bit more details as we have a lot of places with configs.

@ndtreviv

This comment has been minimized.

Copy link

ndtreviv commented Mar 8, 2019

@ndtreviv , please give me direct link or provide a bit more details as we have a lot of places with configs.

My bad...I've gone back to re-find them and I can't anymore. I'm probably going mad. Sorry about that.

@rnveach

This comment has been minimized.

Copy link
Member

rnveach commented Mar 8, 2019

asfgit pushed a commit to apache/hbase that referenced this issue Mar 8, 2019

asfgit pushed a commit to apache/hbase that referenced this issue Mar 8, 2019

asfgit pushed a commit to apache/hbase that referenced this issue Mar 8, 2019

asfgit pushed a commit to apache/hbase that referenced this issue Mar 8, 2019

romani added a commit that referenced this issue Mar 9, 2019

@romani

This comment has been minimized.

Copy link
Member Author

romani commented Mar 9, 2019

links to reports and to old websites should stay on sourceforge for now.
reports will always stay on sourcefore.
old web sites we might eventually move to github.io if not damage performance of deployment, or we change release/deployment process.

@rnveach rnveach closed this in #6533 Mar 9, 2019

rnveach added a commit that referenced this issue Mar 9, 2019

@rnveach

This comment has been minimized.

Copy link
Member

rnveach commented Mar 9, 2019

@romani github closed the issue with the last merge, is there anything left for this issue?

@romani

This comment has been minimized.

Copy link
Member Author

romani commented Mar 9, 2019

All planned work is done.

@romani romani changed the title Remove DTDs from http://checkstyle.sourceforge.net Remove DTDs from http://checkstyle.sourceforge.net and from http://puppycrawl.com/ Mar 9, 2019

Januson added a commit to Januson/candlepin that referenced this issue Mar 11, 2019

Update Checkstyle DTDs links.
Checkstyle DTDs on puppycrawl site were deprecated some time ago and are now removed.
- Change configuration DTD link to "https://checkstyle.org/dtds/configuration_1_3.dtd"
- Change suppressions DTD link to "https://checkstyle.org/dtds/suppressions_1_2.dtd"

For more information see the following issues:
- checkstyle/checkstyle#1571
- checkstyle/checkstyle#6478

Januson added a commit to Januson/candlepin that referenced this issue Mar 11, 2019

Update Checkstyle DTDs links.
Checkstyle DTDs on puppycrawl site were deprecated some time ago and are now removed.
- Change configuration DTD link to "https://checkstyle.org/dtds/configuration_1_3.dtd"
- Change suppressions DTD link to "https://checkstyle.org/dtds/suppressions_1_2.dtd"

For more information see the following issues:
- checkstyle/checkstyle#1571
- checkstyle/checkstyle#6478

Januson added a commit to Januson/candlepin that referenced this issue Mar 11, 2019

Update Checkstyle DTDs links.
Checkstyle DTDs on puppycrawl site were deprecated some time ago and are now removed.
- Change configuration DTD link to "https://checkstyle.org/dtds/configuration_1_3.dtd"
- Change suppressions DTD link to "https://checkstyle.org/dtds/suppressions_1_2.dtd"

For more information see the following issues:
- checkstyle/checkstyle#1571
- checkstyle/checkstyle#6478

asfgit pushed a commit to apache/hbase that referenced this issue Mar 11, 2019

@JLLeitschuh

This comment has been minimized.

Copy link

JLLeitschuh commented Mar 11, 2019

@romani @rnveach Here is the CVE that was assigned.
CVE-2019-9658

Just a heads up, the description they've put on this is far more general than the description I sent them, however, I don't think it's strictly inaccurate.

You may want to consider changing the title of this issue (or some issue) to contain the CVE number for easy reference.

Creastery added a commit to Creastery/main that referenced this issue Mar 11, 2019

Edit the addresses of DTD files used for checkstyle
We are currently using the DTD files from `http://checkstyle.sourceforge.net/`
and `http://puppycrawl.com/` in our config file of checkstyle.

However, due to security reason, checkstyle decided to remove DTDs from
above websites and ask users to use the DTD files from
`https://checkstyle.org/`[1].

Let's update the addresses of DTD files correspondingly.

Meanwhile, update the version of suppression DTD file to 1.2 because it is
the version suggested from checkstyle. [2]

[1] checkstyle/checkstyle#6478
[2] https://checkstyle.org/config_filters.html#SuppressionFilter_Examples

yamidark added a commit to reposense/RepoSense that referenced this issue Mar 16, 2019

Checkstyle: update addresses of DTD files #586
We are using the DTD files from http://checkstyle.sourceforge.net/
and http://puppycrawl.com/ in our config file of checkstyle.

However, due to security reason, checkstyle decided to remove DTDs from
above websites and ask users to use the DTD files from
https://checkstyle.org/[1].

Let's update the addresses of DTD files correspondingly.

As later version of the suppression DTD file has been released[2],
let's also update the DTD file to the latest version.

[1] Checkstyle removes DTDs from http://checkstyle.sourceforge.net:
checkstyle/checkstyle#6478

[2] Checkstyle Suppressions.xml example:
https://checkstyle.org/config_filters.html#SuppressionFilter_Examples

Creastery added a commit to Creastery/main that referenced this issue Mar 18, 2019

Edit the addresses of DTD files used for checkstyle
We are currently using the DTD files from `http://checkstyle.sourceforge.net/`
and `http://puppycrawl.com/` in our config file of checkstyle.

However, due to security reason, checkstyle decided to remove DTDs from
above websites and ask users to use the DTD files from
`https://checkstyle.org/`[1].

Let's update the addresses of DTD files correspondingly.

Meanwhile, update the version of suppression DTD file to 1.2 because it is
the version suggested from checkstyle. [2]

[1] checkstyle/checkstyle#6478
[2] https://checkstyle.org/config_filters.html#SuppressionFilter_Examples

chyeo added a commit to chyeo/main that referenced this issue Mar 18, 2019

Edit the addresses of DTD files used for checkstyle
We are currently using the DTD files from `http://checkstyle.sourceforge.net/`
and `http://puppycrawl.com/` in our config file of checkstyle.

However, due to security reason, checkstyle decided to remove DTDs from
above websites and ask users to use the DTD files from
`https://checkstyle.org/`[1].

Let's update the addresses of DTD files correspondingly.

Meanwhile, update the version of suppression DTD file to 1.2 because it is
the version suggested from checkstyle. [2]

[1] checkstyle/checkstyle#6478
[2] https://checkstyle.org/config_filters.html#SuppressionFilter_Examples

ongspxm added a commit to reposense/RepoSense that referenced this issue Mar 19, 2019

refactoring the way we handle sidebar opening events (#574)
The way `v_summary` handles the loading of the sidebar
assumes there is only one type of sidebar view.

In light of the new "zoomin" view, we would have to extend and
generalize the way we load the sidebar, so as to be able to load both
the authorship and zoomin view using the same mechanism.

The design of the "event bus" is as such. The actual loading of the
tabs is done in the main app, and those functions usually have the form
`updateTabXXX()`, which write the corresponding information object into
`this.tabInfo` and does `this.tabActive='XXX';`. This will then load
the right tab in the sidebar.

To load the sidebar from without another component, the VueJS event
emitting mechanism is used. A function of the form  `openTabXXX()` is
used to call the component's `$emit()`. The main application then
handles the emitted message using the corresponding `updateTabXXX()`.

* Add highlighting to ramps (#544)

To be able to open up a "zoomed-in" view of the ramp, the user must
first be able to select part of the ramp to focus on.

Let's add a way for the user to highlight the range of the ramp to
focus on. This will later translate into the date range for the
"zoomed-in" view to display the relevant commits.

In this particular implementation, we use a global `drags` object as a
way of preventing user from highlighting on multiple ramp charts. E.g.
if a user mousedown on one ramp chart and mouseup on the other, the
second chart will be highlighted with the positions defined between the
two mouse events.

* Merge 'tabs' to get refactored v_authorship

commit b632566
Author: ongspxm <ongspxm@gmail.com>
Date:   Mon Feb 25 00:46:12 2019 +0800

    added TODO to remove change

commit 4bb21d6
Author: ongspxm <ongspxm@gmail.com>
Date:   Fri Feb 22 23:38:34 2019 +0800

    updated to use isTabActive instead of tabActive to trigger tab display

commit a7aeefd
Author: ongspxm <ongspxm@gmail.com>
Date:   Thu Feb 21 22:39:18 2019 +0800

    fix lint

commit b813aa2
Author: ongspxm <ongspxm@gmail.com>
Date:   Thu Feb 21 22:30:35 2019 +0800

    wrap everything within v-authorship

commit 7dbb41b
Author: ongspxm <ongspxm@gmail.com>
Date:   Thu Feb 21 22:25:45 2019 +0800

    updateCount using document.getElementsByClassName

commit c66a3ee
Author: ongspxm <ongspxm@gmail.com>
Date:   Thu Feb 21 15:53:22 2019 +0800

    wip. left with updateCount

commit 9e73331
Author: ongspxm <ongspxm@gmail.com>
Date:   Thu Feb 21 15:49:48 2019 +0800

    move expand func to v_authorship

commit 3fcd62b
Author: ongspxm <ongspxm@gmail.com>
Date:   Thu Feb 21 15:43:50 2019 +0800

    remove js for button update

commit 4fc1151
Author: ongspxm <ongspxm@gmail.com>
Date:   Thu Feb 21 15:37:02 2019 +0800

    deactivating the tab

commit a387e19
Author: ongspxm <ongspxm@gmail.com>
Date:   Thu Feb 21 14:51:58 2019 +0800

    wip

* move call emitting to component func

* handle opening of tabs in main app

* refactoring ramps to their own component (#572)

Currently, the entire ramp template resides in `v_summary`. In light of
the "zoomin" tab view, we would have to reuse ramp chart view to
display the commits in the "zoomin" tab.

Let's refactor to move the ramp into its own component, so as to
support reuse in the "zoomin" tab view.

* fix lint

* fix: show min max date on authorship view

* lint

* [#554] Rename 'dashboard' instances to 'report' (#579)

The term 'report' and 'dashboard' are used throughout RepoSense to
refer to the same thing, the result after running analysis.

However, users may not understand the subtle differences between
these two terms. Instead, using a single term would help in
standardization and comprehensibility.

Let's rename all usage of 'dashboard' instances to the term 'report'
instead, as standardized in #220.

* Checkstyle: update addresses of DTD files #586

We are using the DTD files from http://checkstyle.sourceforge.net/
and http://puppycrawl.com/ in our config file of checkstyle.

However, due to security reason, checkstyle decided to remove DTDs from
above websites and ask users to use the DTD files from
https://checkstyle.org/[1].

Let's update the addresses of DTD files correspondingly.

As later version of the suppression DTD file has been released[2],
let's also update the DTD file to the latest version.

[1] Checkstyle removes DTDs from http://checkstyle.sourceforge.net:
checkstyle/checkstyle#6478

[2] Checkstyle Suppressions.xml example:
https://checkstyle.org/config_filters.html#SuppressionFilter_Examples

* [#540] Perform cloning in parallel with analyzing (#560)

Repos are processed sequentially, one at a time.

As cloning does not takes much processing power and analysis does not
take any network bandwidth, the two can be done in parallel to reduce
the total processing time.

Here are some test results to support the above hypothesis:
The test was performed using CS2103 AY1819S1 project repos on my local
machine. The average time taken to generate the report was measured
across 10 runs. Current code took 17 min 21s while new implementation
took 11 min 55s.

Let's clone the next repo in the list while the current repo is being
analyzed.

* [#465] Url: bookmark opened code view (#524)

Our report's url changes along with the state of the dashboard as a
mechanism to allow users to easily revisit her last view as well as
easily be shared with other people.

However, this was only limited to the chart view configuration, nothing
of the code view were part of the state being saved.

To allow users to easily restore their last reviewed code view, let's
also encode any opened code view into the url.

* [#510] Remove unused Checkstyle analysis feature (#597)

The checkstyle analysis feature was added to the code base in the
early stage of RepoSense, when there was some hope of running static
analysis over the code written by authors of the repositories.

As this feature has not been used since early stages(v1.0), and it
is also not in our immediate plans anymore, leaving it will
unnecessarily complicate the codebase.

Let's clean up the code base by removing this unused checkstyle
analysis feature.

* fix: codeview not opening

* update view opeing

tsjensen pushed a commit to checkstyle-addons/sonar-checkstyle that referenced this issue Mar 21, 2019

@RohanNagar RohanNagar referenced this issue Apr 1, 2019

Open

Cleanup Tasks #232

0 of 10 tasks complete
@JLLeitschuh

This comment has been minimized.

Copy link

JLLeitschuh commented Apr 1, 2019

@romani @rnveach This DTD is still available and should be removed.

http://checkstyle.sourceforge.net/dtds/configuration_1_3.dtd

romani added a commit that referenced this issue Apr 2, 2019

@romani

This comment has been minimized.

Copy link
Member Author

romani commented Apr 2, 2019

dtds folder is removed from checkstyle.sourceforge.net, .ci/copy-site-to-sourceforge.sh was updated to remove such folder automatically.

Vantuz added a commit to Vantuz/checkstyle that referenced this issue Apr 3, 2019

Vantuz added a commit to Vantuz/checkstyle that referenced this issue Apr 3, 2019

sijie123 added a commit to sijie123/CS2103-DeadlineManager that referenced this issue Apr 13, 2019

Edit the addresses of DTD files used for checkstyle
We are currently using the DTD files from `http://checkstyle.sourceforge.net/`
and `http://puppycrawl.com/` in our config file of checkstyle.

However, due to security reason, checkstyle decided to remove DTDs from
above websites and ask users to use the DTD files from
`https://checkstyle.org/`[1].

Let's update the addresses of DTD files correspondingly.

Meanwhile, update the version of suppression DTD file to 1.2 because it is
the version suggested from checkstyle. [2]

[1] checkstyle/checkstyle#6478
[2] https://checkstyle.org/config_filters.html#SuppressionFilter_Examples

sijie123 added a commit to sijie123/CS2103-DeadlineManager that referenced this issue Apr 14, 2019

Edit the addresses of DTD files used for checkstyle
We are currently using the DTD files from `http://checkstyle.sourceforge.net/`
and `http://puppycrawl.com/` in our config file of checkstyle.

However, due to security reason, checkstyle decided to remove DTDs from
above websites and ask users to use the DTD files from
`https://checkstyle.org/`[1].

Let's update the addresses of DTD files correspondingly.

Meanwhile, update the version of suppression DTD file to 1.2 because it is
the version suggested from checkstyle. [2]

[1] checkstyle/checkstyle#6478
[2] https://checkstyle.org/config_filters.html#SuppressionFilter_Examples
@rnveach

This comment has been minimized.

Copy link
Member

rnveach commented Apr 14, 2019

Here is the CVE that was assigned. CVE-2019-9658

This is more informational that I didn't know. When you work with opensource on github and do a push to a repo you own, it will report these CVEs to you on a push. I use eclipse for my pushes.

backport security3

And they even have a URL to list all these vunerabilities.

backport security1

backport security2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.